Chybeta

【CVE-2019-16759】:pre-auth RCE in vBulletin 5.x

pre-auth RCE in vBulletin 5.x .

https://twitter.com/chybeta/status/1176702424045772800

中文: https://xz.aliyun.com/t/6419

0x01 Summary

https://seclists.org/fulldisclosure/2019/Sep/31

image.png

0x02 Analysis

The first parameter routestring tell what template should vBulletin look for.

image.png

In the callRender()$routeInfo[2] will be set as widget_php and $params will contains the render config $widgetCongi[code]

image.png

In \core\install\vbulletin-style.xml,we can fidn a template named widget_php

image.png

So when $widgetConfig['code'] is not null and the setting disable_php_rendering isn’t disabled, vBulletin will use the following syntax to render template:

1
2
{vb:action evaledPHP, bbcode, evalCode, {vb:raw widgetConfig.code}}
{vb:raw $evaledPHP}

In includes\vb5\frontend\controller\bbcode.php , you can find how evalCode defined:

image.png

Finally cause PHP-Template injection and pre-auth RCE in vBulletin 5.x。

0x03 Reproduce

image.png

点击赞赏二维码,您的支持将鼓励我继续创作!
chybeta WeChat Pay

微信打赏

chybeta Alipay

支付宝打赏

本文标题:【CVE-2019-16759】:pre-auth RCE in vBulletin 5.x

文章作者:chybeta

发布时间:2019年09月28日 - 08:09

最后更新:2019年09月28日 - 08:09

原始链接:http://chybeta.github.io/2019/09/28/【CVE-2019-16759】-pre-auth-RCE-in-vBulletin-5-x/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。