Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-16759 PoC — vBulletin 输入验证错误漏洞

Source
https://github.com/theLSA/vbulletin5-rce
Associated Vulnerability
Title:vBulletin 输入验证错误漏洞 (CVE-2019-16759)
Description:vBulletin是美国InternetBrands和vBulletinSolutions公司的一款基于PHP和MySQL的开源Web论坛程序。 vBulletin 5.x版本至5.5.4版本中存在安全漏洞。攻击者可借助‘widgetConfig[code]’参数利用该漏洞执行命令。
Description
CVE-2019-16759 vbulletin 5.0.0 till 5.5.4 pre-auth rce
Readme
# vbulletin5 rce漏洞检测工具



# 0x00 概述

201909 vbulletion5(5.0.0-5.5.4)爆出rce漏洞(CVE-2019-16759),利用文件ajax/render/widget_php和post参数widgetConfig[code]可直接远程代码执行。

20200811,网上爆出CVE-2019-16759补丁可被绕过,利用ajax/render/widget_tabbedcontainer_tab_panel和构造post参数subWidgets[0][config][code]可直接远程代码执行。

本工具支持单url检测,cmdshell,get web shell(写入一句话木马),批量检测,批量getshell。



## 0x01 需求

python2.7

pip install requests



## 0x02 快速开始

使用帮助: python vbulletin5-rce.py -h


![](https://github.com/theLSA/vbulletin5-rce/raw/master/demo/vbulletin00.png)


单url漏洞检测: python vbulletin5-rce.py -u "http://www.xxx.com/"


![](https://github.com/theLSA/vbulletin5-rce/raw/master/demo/vbulletin01.png)

![](https://github.com/theLSA/vbulletin5-rce/raw/master/demo/vbulletin06.png)


cmdshell: python vbulletin5-rce.py -u "http://www.xxx.com/" --cmdshell


![](https://github.com/theLSA/vbulletin5-rce/raw/master/demo/vbulletin02.png)

![](https://github.com/theLSA/vbulletin5-rce/raw/master/demo/vbulletin07.png)

单url getshell: python vbulletin5-rce.py -u "http://www.xxx.com/" --getshell


![](https://github.com/theLSA/vbulletin5-rce/raw/master/demo/vbulletin03.png)

![](https://github.com/theLSA/vbulletin5-rce/raw/master/demo/vbulletin08.png)

批量检测: python vbulletin5-rce.py -f urls.txt


![](https://github.com/theLSA/vbulletin5-rce/raw/master/demo/vbulletin04.png)


批量getshhell: python vbulletin5-rce.py -f urls.txt --getshell


![](https://github.com/theLSA/vbulletin5-rce/raw/master/demo/vbulletin05.png)



## 0x03 反馈

[issus](https://github.com/theLSA/vbulletin5-rce/issues)

gmail:[lsasguge196@gmail.com](mailto:lsasguge196@gmail.com)

qq:[2894400469@qq.com](mailto:2894400469@qq.com)
File Snapshot

 [4.0K]  /data/pocs/219bce1e0b886850953c7f80bf660477a21c43bf
├── [4.0K]  batch_result
│   └── [4.0K]  20191002155708
│       └── [   0]  success.txt
├── [4.0K]  demo
│   ├── [ 13K]  vbulletin00.png
│   ├── [7.3K]  vbulletin01.png
│   ├── [6.1K]  vbulletin02.png
│   ├── [ 12K]  vbulletin03.png
│   ├── [ 13K]  vbulletin04.png
│   ├── [ 36K]  vbulletin05.png
│   ├── [ 26K]  vbulletin06.png
│   ├── [ 34K]  vbulletin07.png
│   └── [ 39K]  vbulletin08.png
├── [1.0K]  LICENSE
├── [1.8K]  README.md
├── [   0]  urls.txt
└── [ 14K]  vbulletin5-rce.py

3 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.