I'm going to write about RCE on the MyBB 1.8.22 Admin panel, which I've analyzed a lot over the past year Because ninja patch
If you look at the code above, check the value of the settings variable and run the log_error function.
If you look at the code above, checks the value of the settings variable and generates an error log file in that path.
If you look at the code in the picture above, after checking the input, After updating the data in the database, perform the rebuild_setting() function.
If you look at the code above, SELECT the value of the Settings Table, replace the dangerous string of data, and then run the file_put_content function
If you look at the MyBB admin panel, there is a place for setting up error log
If you can include the php code in the error, RCE is possible!
If you look at the code above, check the path using realpath function and pass if it is not false.
The realpath function checks if the path actually exists and returns the actual path by replacing the string "./","../", etc. as shown in the picture below.
However, the realpath function has the following tricks
By using this trick, the code for image 4 could be bypassed.
Exploit is as follows
Set as above.
Ninja Patch is a waste, but it was fun!
If you need any questions, please contact me on Twitter.