id: CVE-2016-6195 info: name: vBulletin <= 4.2.3 - SQL Injection author: MaStErChO severity: critical description: | vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database. impact: | Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system. remediation: | Upgrade to a patched version of vBulletin (4.2.4 or later) or apply the official patch provided by the vendor. reference: - https://www.cvedetails.com/cve/CVE-2016-6195/ - https://www.exploit-db.com/exploits/38489 - https://enumerated.wordpress.com/2016/07/11/1/ - http://www.vbulletin.org/forum/showthread.php?t=322848 - https://github.com/drewlong/vbully classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2016-6195 cwe-id: CWE-89 epss-score: 0.00284 epss-percentile: 0.68612 cpe: cpe:2.3:a:vbulletin:vbulletin:*:patch_level_4:*:*:*:*:*:* metadata: verified: "true" max-request: 6 vendor: vbulletin product: vbulletin shodan-query: - title:"Powered By vBulletin" - http.html:"powered by vbulletin" - http.component:"vbulletin" - http.title:"powered by vbulletin" - cpe:"cpe:2.3:a:vbulletin:vbulletin" fofa-query: - body="powered by vbulletin" - title="powered by vbulletin" google-query: - intext:"powered by vbulletin" - intitle:"powered by vbulletin" tags: cve2016,cve,vbulletin,sqli,forum,edb http: - method: GET path: - "{{BaseURL}}/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/boards/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/board/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "type=dberror" - type: status status: - 200 - 503 condition: or # digest: 4a0a004730450220657adc2a38a598c9c739307271e03f60bac84ec0fdd7b8fe171bf030497bdbf9022100dc7cf4e7c541e2871d54b2f929d4b94f40eccd5bc9e4637374eeb4f9c48c2530:922c64590222798bb761d5b6d8e72950