vBulletin 4.1.x and 5.x.x 0day Exploit released by 1337 Hacker

vbulletin exploit

VBulletin - a popular CMS for online forum is being exploited widely by various hackers. vBulletin team released announcements about a possible exploit in versions 4.1+ and 5+ of vBulletin. The announcement read:

“A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation.

The 1337 hacker released the exploit for vBulletin 4.1.x and 5.x.x on madleets. The major forums hacked by 1337 hacker using the exploit are DirectAdmin, Suse, Siasat Pk, HostDime, ProPakistani and HostMonster.

Details of vBulletin 4.1.x and 5.x.x exploit released by the hacker:

  1. Find a vBulletin 4 or 5 target
  2. Make sure it has a /install/upgrade.php file in it
  3. Go to site.com/install/upgrade.php and right click the page and see source code. Find var CUSTNUMBER =
  4. Once found , copy it
  5. Upload this code onto a server : http://pastebin.com/7FfDZuDk
  6. Once uploaded,open the file
  7. After that paste that CUSTNUMBER into the Customer I.D box (It will be something like 9c4818514a74338f980793e7426b2fb1)
  8. Fill in the other box’s such as site URL, Username, Password and Email.
  9. Once done, click Inject Admin and let the page load
  10. Thats all, now go to the forum and login with the login details which you injected the site with.

How to patch the bug:

Remove the install directory.

  • 4.X – /install/
  • 5.X – /core/install