[Exploit] vBulletin 5.1.x – PreAuth Remote Code Execution

vBulletin team has patched a critical object injection vulnerability in version 5.1.x, which can lead to Remote code execution. CVE-2015-7808 has been assigned to this vulnerability. The POC of this exploit was released by some guy on twitter after defacing the official portal of vBulletin using the same exploit. You can find the technical details here.

I have written a demo exploit which grabs the kernel information (uname -a) of the vulnerable target just to see, how many websites are affected by this vulnerability.

I have used Google Dork Scanner from one of my previous posts to grab websites running the vulnerable version of vBulletin i.e. 5.1.x. You can create your own list of vulnerable targets. I’m going to run a mass exploit against the target list. You can find the target list here.

Requirements

You can install requests and colorama simply by executing the following command in your terminal.

Now, to use the following exploit, make sure that your urls.txt is in the same directory. If you don’t have one, you can use mine.

vb

Last Scan Result (08-11-2015)

Edit: Most of the websites from my last scan results are either patched or hacked (Defaced).

GitHub Repository

This exploit can be further modified to get complete (shell) access to the target. And before I forget ..

Disclaimer

I hereby take no responsibility for the loss/damage caused by this tutorial. This article has been shared for educational purpose only.

If you have any further suggestions, feel free to contact me. Details are in the footer.