MyBB <= 1.8.22 RCE in Admin Panel (subtitle ninja patch)

I'm going to write about RCE on the MyBB 1.8.22 Admin panel, which I've analyzed a lot over the past year Because ninja patch 

 

 

1. MyBB error function code (/inc/class_error.php) 

If you look at the code above, check the value of the settings variable and run the log_error function.

 

 

2. MyBB log_error function code (/inc/class_error.php) 

 

If you look at the code above, checks the value of the settings variable and generates an error log file in that path.

 

 

 

3. MyBB Setting page in Admin panel (/admin/modules/config/settings.php)

If you look at the code in the picture above, after checking the input,
After updating the data in the database, perform the rebuild_setting() function.

 

4. MyBB rebulid_settings function code (/inc/functions.php)

If you look at the code above, SELECT the value of the Settings Table, replace the dangerous string of data, and then run the file_put_content function

 

 

1. error log setting page in Admin Panel

If you look at the MyBB admin panel, there is a place for setting up error log

 

If you can include the php code in the error, RCE is possible!

 

4. MyBB Setting page in Admin panel (/admin/modules/config/settings.php)

If you look at the code above, check the path using realpath function and pass if it is not false.

 

5. php.net/realpath function

The realpath function checks if the path actually exists and returns the actual path by replacing the string "./","../", etc. as shown in the picture below.

 

6. realpath function return value

However, the realpath function has the following tricks

 

7. relapath function trick

By using this trick, the code for image 4 could be bypassed.

 

 

Exploit is as follows 

 

8. error log setting page in Admin Panel

Set as above.

 

 

9. Attach a file to a MyBB board

 

10. Error display

11. Success Webshell write

Ninja Patch is a waste, but it was fun!

 

If you need any questions, please contact me on Twitter.