[php]===============================================================
vBulletin 3.X/4.X CSRF IMG-Tag Exploit
===============================================================
# Exploit Title: vBulletin 3.X/4.X CSRF IMG-Tag Exploit
# Date: 28/04/2011
# Author: Cyber Tjak # Upgraded by ¥akuza112
# Software Link: http://www.vBulletin.org
# Version: 3.X & 4.X
# Google Dork 1: Powered by vBulletin 3.X
# Google Dork 2: Powered by vBulletin 4.X
# Platform / Tested on: Multiple
# Category: Webapplications
# Code : N/A
######################################################################
1 Go to something were you want to include it e.g. /profile.php?do=editsignature
The IMG-Tag must be allowed there.
2 Post a new post with these content ; [IMG]Your Script[/IMG]
3 You can use it with a plugin like iTrader [url]http://[localhost]/board/itrader_fee…RID&parseurl=1[/url]
Furthermore you can use it with external scripts like an ip-logging script.
Just like a normal CSRF-Vuln. =)
4 Now you see that your script is working.
# FIX: ###########################################################
You must create a whitelist for trustworthy imagehosters.
1 Open ./includes/class_bbcode.php
2 Search for:
function handle_bbcode_img_match($link)
{
$link = $this->strip_smilies(str_replace(‚\\"‘, ‚"‘, $link));
// remove double spaces — fixes issues with wordwrap
$link = str_replace(array(‚ ‚, ‚"‘), “, $link);
return ‚<img src="‘ . $link . ‚" alt="" border="0" />‘;
}</pre>
3 Replace with:
<pre>
function handle_bbcode_img_match($link) { if (is_array($link)) { $link="Array"; }
$list=array(
"yakuza112.org",
"link-base.org",
"uniquecrew.net",
"uniquecrew.org",
"xup.in",
"xup.to",
"wi.to",
"bilderkiste.org",
"postimg.org",
"abload.de",
"imgur.com",
"antifraudcentre-centreantifraude.ca",
"pic-upload.de",
"imageshack.us",
"tinypic.com",
"twimg.com",
"wikimedia.org",
"ccc.de",
"heise.de",
"golem.de",
"bilderload.com",
"picload.org",
"img-up.net",
"imgup.net",
"postimage.org",
"image-hoster.de",
"mgimg.de",
"geek.com",
"bilderhoster.net",
"directupload.net",
"s4lmedia.de",
"anony.ws",
"blackvpn.com",
"emsisoft.de",
"emsisoft.com"
);
$link=preg_replace("/</" ,"%3C", $link); $link=preg_replace("/>/" ,"%3E", $link);
$link=preg_replace("/\"/" ,"%22", $link); $link=preg_replace("/’/" ,"%27;", $link);
if (strlen($link)>8) { $linka=explode("://", $link); if (strtolower($link[0]) . strtolower($link[1]) . strtolower($link[2]) . strtolower($link[3]) . strtolower($link[4]) . strtolower($link[5]) . strtolower($link[6])=="http://" or strtolower($link[0]) . strtolower($link[1]) . strtolower($link[2]) . strtolower($link[3]) . strtolower($link[4]) . strtolower($link[5]) . strtolower($link[6]) . strtolower($link[7])=="https://") {
if (isset($linka[1])) { $linkb=explode("/", $linka[1]);
$linki=0; while (isset($list[$linki])) { if (strlen($linkb[0])>=strlen($list[$linki])) { $linkc=substr($linkb[0], -strlen($list[$linki]));
if (strtolower($linkc)==strtolower($list[$linki])) { $linkc=substr($linkb[0], -strlen($list[$linki])-1); if (strtolower($linkc)==strtolower($list[$linki]) or strtolower($linkc)=="." . strtolower($list[$linki])) { return "<img src=\"" . $link . "\" border=\"0\" alt=\"\" />"; } } } $linki++; } } } } return "
" . $link . "
Please upload your picture at a trusted hoster (showthread.php?t=11312). For example abload.de
"; }
################################################################################
Our Forum:
http://uniquecrew.net
Special Thanks to: Cyber Tjak, P4INW4R, unnex, f00bar, thetest69 and all other forum members
################################################################################[/php]
https://nopaste.xyz/?4562b9fea9f7b97f#3xcDzsVwUqYaucunk53KR17MIm4/p3hZHhUYUmvQHGo=
