I'm going to write about RCE on the MyBB 1.8.22 Admin panel, which I've analyzed a lot over the past year Because ninja patch
1. MyBB error function code (/inc/class_error.php)
If you look at the code above, check the value of the settings variable and run the log_error function.
2. MyBB log_error function code (/inc/class_error.php)
If you look at the code above, checks the value of the settings variable and generates an error log file in that path.
3. MyBB Setting page in Admin panel (/admin/modules/config/settings.php)
If you look at the code in the picture above, after checking the input, After updating the data in the database, perform the rebuild_setting() function.
4. MyBB rebulid_settings function code (/inc/functions.php)
If you look at the code above, SELECT the value of the Settings Table, replace the dangerous string of data, and then run the file_put_content function
1. error log setting page in Admin Panel
If you look at the MyBB admin panel, there is a place for setting up error log
If you can include the php code in the error, RCE is possible!
4. MyBB Setting page in Admin panel (/admin/modules/config/settings.php)
If you look at the code above, check the path using realpath function and pass if it is not false.
5. php.net/realpath function
The realpath function checks if the path actually exists and returns the actual path by replacing the string "./","../", etc. as shown in the picture below.
6. realpath function return value
However, the realpath function has the following tricks
7. relapath function trick
By using this trick, the code for image 4 could be bypassed.
Exploit is as follows
8. error log setting page in Admin Panel
Set as above.
9. Attach a file to a MyBB board
10. Error display11. Success Webshell write
Ninja Patch is a waste, but it was fun!
If you need any questions, please contact me on Twitter.