-
vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.
Disclosure Date: 2020-08-09First seen: 2020-08-12exploit/multi/http/vbulletin_widget_template_rceThis module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument. This causes the former template to load the latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux. Authors: - Zenofex <zenofex@exploitee.rs> -
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
Disclosure Date: 2020-03-12First seen: 2020-06-02auxiliary/gather/vbulletin_getindexablecontent_sqliThis module exploits a SQL injection vulnerability found in vBulletin 5.x.x to dump the user table information or to dump all of the vBulletin tables (based on the selected options). This module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux. Authors: - Charles Fol <folcharles@gmail.com> - Zenofex <zenofex@exploitee.rs> -
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
Disclosure Date: 2020-03-12First seen: 2020-06-02exploit/multi/http/vbulletin_getindexablecontentThis module exploits a SQL injection vulnerability found in vBulletin 5.6.1 and earlier This module uses the getIndexableContent vulnerability to reset the administrators password, it then uses the administrators login information to achieve RCE on the target. This module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux distribution. Authors: - Charles Fol <folcharles@gmail.com> - Zenofex <zenofex@exploitee.rs> -
vBulletin widgetConfig RCE
Disclosure Date: 2019-09-23First seen: 2020-04-26exploit/multi/http/vbulletin_widgetconfig_rcevBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring POST request. -
vBulletin 5.1.2 Unserialize Code Execution
Disclosure Date: 2015-11-04First seen: 2020-04-26exploit/multi/http/vbulletin_unserializeThis module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9 Authors: - Netanel Rubin - cutz - Julien (jvoisin) Voisin -
vBulletin Administrator Account Creation
Disclosure Date: 2013-10-09First seen: 2020-04-26auxiliary/admin/http/vbulletin_upgrade_adminThis module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This module has been tested successfully on vBulletin 4.1.5 and 4.1.0. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> -
vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection
Disclosure Date: 2013-03-25First seen: 2020-04-26exploit/unix/webapp/vbulletin_vote_sqli_execThis module exploits a SQL injection vulnerability found in vBulletin 5 that has been used in the wild since March 2013. This module uses the sqli to extract the web application's usernames and hashes. With the retrieved information tries to log into the admin control panel in order to deploy the PHP payload. This module has been tested successfully on VBulletin Version 5.0.0 Beta 13 over an Ubuntu Linux distribution. Authors: - Orestis Kourides - juan vazquez <juan.vazquez@metasploit.com> -
vBulletin Password Collector via nodeid SQL Injection
Disclosure Date: 2013-03-24First seen: 2020-04-26auxiliary/gather/vbulletin_vote_sqliThis module exploits a SQL injection vulnerability found in vBulletin 5 that has been used in the wild since March 2013. This module can be used to extract the web application's usernames and hashes, which could be used to authenticate into the vBulletin admin control panel. Authors: - Orestis Kourides - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
8 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details