Tag (0day)'s result:

vBulletin Forum v5双0day分析礼包

0x00 概述 前段时间网上爆出vbulletin v5论坛的两个0day,一个是文件包含导致代码执行,另一个是反序列化漏洞(cve-2017-17672),本文结合源码对这两个0day进行分析,主要参考https://blogs.securiteam.com/index.php/archives/3573和https://blogs.securiteam.com/index.php/archives/3569。   0x01 rce漏洞 首先看看index.php: $app = vB5_Frontend_Application::init(‘config.php’); //todo, move this back so we can catch notices in the startup code. For now, we can set the value in the php.ini //file to catch these situations. // We report all errors here because we have to make Application Notice free error_reporting(E_ALL | E_STRICT); $config = vB5_Config::instance(); if (!$config->report_all_php_errors) { // Note that E_STRICT became part of E_ALL in PHP 5.4 error_reporting(E_ALL & ~(E_NOTICE | E_STRICT)); } $routing = $app->getRouter(); $controller = $routing->getController(); $method = $routing->getAction(); $template = $routing->getTemplate(); $class = ‘vB5_Frontend_Controller_’ . ucfirst($controller); if (!class_exists($class)) { // @todo – this needs a proper error message die(“Couldn’t find controller file for $class”); } vB5_Frontend_ExplainQueries::initialize(); $c = new $class($template); call_user_func_array(array(&$c, $method), $routing->getArguments()); vB5_Frontend_ExplainQueries::finish(); 大概看出是初始化配置,那就进入init这个方法看看,在 /includes/vb5/frontend/application.php: public static function init($configFile) { parent::init($configFile); self::$instance = new vB5_Frontend_Application(); self::$instance->router = new vB5_Frontend_Routing(); self::$instance->router->setRoutes(); self::$instance->router->processExternalLoginProviders(); $styleid = vB5_Template_Stylevar::instance()->getPreferredStyleId(); 重点关注setRoutes(),应该是设置路由,继续跟进这个方法: /includes/vb5/frontend/routing.php: function setRoutes() { $this->processQueryString(); //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it //$path = isset($_SERVER[‘PATH_INFO’])……