ÇáÓáÇã Úáíßã
ÇáËÛÑå ÌÏíÏå ÈÊÇÑíÎ ÇãÓ
ÇÞÊÈÇÓ-----------------------------------------------------------------------------
vBulletin <= 3.6.4 inlinemod.php "postids" sql injection / privilege
escalation by session hijacking exploit
by rgod
mail: retrog at alice dot it
site: ---
Works regardless of php.ini settings, you need a Super Moderator account
to copy posts among threads, to be launched while admin is logged in to
the control panel, this will give you full admin privileges
note: this will flood the forum with empty threads even!
-----------------------------------------------------------------------------
');
if ($argc<7) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path user pass forumid postid OPTIONS
host: target server (ip/hostname)
path: path to vbulletin
user/pass: you need a moderator account
forumid: existing forum
postid: existing post
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /vbulletin/ rgod mypass 2 121 -P1.1.1.1:80
php '.$argv[0].' localhost /vbulletin/ rgod mypass 1 143 -p81
-----------------------------------------------------------------------------
');
ÇáËÛÑå äÒáÊ ÈãæÇÞÚ ÇáÓíßæÑÊí
åá ãÓãæÍ ÇÍÏ ÑÇÈØåÇ æáÇ ÝíåÇ äÊÝ
ÈÇáäÓÈÉ ááÊÑÞíÜÚ
=========================
ÇÞÊÈÇÓ ÇáãÔÇÑßÉ ÇáÃÕáíÉ ÃÖíÝÊ ÈæÇÓØÉ : ÇáÚäÏáíÈÇáÓáÇã Úáíßã æÑÍãÉ Çááå æÈÑßÇÊå
ßáÇã ßÇÊÈ ÇáãÞÇá ÕÍíÍ 100% æÈÇáÝÚá íæÌÏ ËÛÑå íÊã ãä ÎáÇáåÇ ÍÞä ÊÚáíãÉ sql áÌáÈ ãÚáæãÇÊ ÍÓÇÓå ãä ÞÇÚÏÉ ÇáÈíÇäÇÊ ÅÐÇ ßÇä ÇáãÓÊËãÑ ááËÛÑå ÃÍÏ ÇáãÔÑÝíä Ãæ ÇáãÔÑÝ ÇáÚÇã ÈäÝÓå.
áíÓÊ Þæíå ÌÏÇð ÝÊØãä íÇ ÃÎí ÇáßÑíã
æÇáÊÑÞíÚ ÞÇã ÈÔÑÍå ÇáßÇÊÈ æÞÇá:
1- ÅÝÊÍ ãáÝ inlinemod.php ÇáãæÌæÏ ÏÇÎá ãÌáÏ vb
2- ÇÈÍË Úä:
ÑãÒ PHP:
foreach ($postids AS $index => $postid)
{
if ($postids["$index"] != intval($postid))
{
unset($postids["$index"]);
}
}
3- ÅÓÊÈÏáå ÈÜ:
ÑãÒ PHP:
foreach ($postids AS $index => $postid)
{
$postids["$index"]=(int)$postids["$index"];
}
4- ÅÈÍË Úä:
ÑãÒ PHP:
foreach ($threadids AS $index => $threadid)
{
if ($threadids["$index"] != intval($threadid))
{
unset($threadids["$index"]);
}
}
5- ÅÓÊÈÏáå:
ÑãÒ PHP:
foreach ($threadids AS $index => $threadid)
{
$threadids["$index"]=(int)$threadids["$index"];
}
ÃÔßÑßã Úáì ÇáÊÚÇæä áÝÚá ÇáÎíÑ æÈÇÑß Çááå Èßã Úáì ÇáÊäÈíå æßá ÚÇã æãäÊÏíÇÊßã ÈÎíÑ.
ãæÝÞíä
ÇáãæÖæÚ ÇáÃÕáí: ËÛÑÉ ÌÏíÏÉ ÈÇáãäÊÏíÇÊ ÈÊÇÑíÎ Çáíæã áÌáÈ ãÚáæãÇÊ ÍÓÇÓå ãä ÞÇÚÏÉ ÇáÈíÇäÇÊ || ÇáßÇÊÈ: Bakenam || ÇáãÕÏÑ: ãäÊÏíÇÊ ÈÇäì ÓÊÇÑ
ÇáãÝÖáÇÊ