cbcvebase.
CVE-2013-3522
published 2013-05-10

CVE-2013-3522: SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to…

PriorityP266medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.08%
97.8th percentile
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php/ajax/api/reputation/vote
urlhttp://www.zempirians.com/archive/legion/vbulletin_5.pl.txt
commandnodeid=<id>) and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
  • Monitor POST requests to 'index.php/ajax/api/reputation/vote' with a 'nodeid' parameter containing SQL metacharacters or subquery patterns (e.g., parentheses, SELECT, CONCAT, floor(rand())). A 'Database error in vBulletin' string in the HTTP 200 response body indicates successful blind/error-based SQLi.
  • Detect exploitation chain: SQLi on /ajax/api/reputation/vote followed by login attempt to login.php with 'logintype=cplogin' and pre-computed MD5 hash fields ('vb_login_md5password'), then product import via admincp/product.php — this sequence indicates the full RCE exploit chain.
  • Alert on multipart POST to admincp/product.php?do=productimport containing an XML file upload ('productfile' field) immediately after an admin login — this is the payload delivery step of the exploit.
  • The PoC uses a User-Agent of 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0' for all exploit requests; correlate this UA with POST requests to the vulnerable endpoint.
  • The error-based SQLi payload uses the pattern 'floor(rand(0)*2)' combined with GROUP BY to trigger a duplicate-key error; detect this pattern in POST body parameters targeting vBulletin endpoints.
  • The exploit has been observed in the wild since March 2013; flag vBulletin 5.0.0 Beta 11 through Beta 28 installations as vulnerable during asset inventory.
  • ·The Metasploit module brute-forces valid node IDs between MINNODE (default 1) and MAXNODE (default 100); defenders should note that the SQLi requires a valid node ID to function, so environments with no public nodes in that range may reduce exploitability.
  • ·The exploit requires the attacker to be a remote authenticated user; unauthenticated exploitation is not indicated by the CVE description.
  • ·The RCE module (vbulletin_vote_sqli_exec) was tested specifically on vBulletin 5.0.0 Beta 13 on Ubuntu Linux; behavior on other OS/version combinations may differ.

CVSS provenance

nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.