Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-48828 PoC — Internet Brands vBulletin 安全漏洞

Source
https://github.com/ill-deed/vBulletin-CVE-2025-48828-Multi-target
Associated Vulnerability
Title:Internet Brands vBulletin 安全漏洞 (CVE-2025-48828)
Description:Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
Description
Batch RCE scanner for vulnerable vBulletin instances using replaceAdTemplate exploit.
Readme
# 💥 vBulletin Remote Code Execution Scanner (replaceAdTemplate)

This Python tool automates the detection of **unauthenticated RCE** vulnerabilities in **vBulletin** via the `replaceAdTemplate` exploit vector. Based on the original proof-of-concept by **EgiX**, this version supports **batch scanning**, **multithreading**, and logs confirmed vulnerable targets to `vuln.txt`.

## 🔥 Vulnerability Details

- **Exploit Name**: `replaceAdTemplate` RCE
- **CVE**: CVE-2025-48828
- **Affected**: Vulnerable versions of vBulletin using the `ajax/api/ad/replaceAdTemplate` route
- **Impact**: Remote Code Execution (unauthenticated)

## ⚙️ Features

- 🧠 Automatic command execution (`id`) to confirm RCE
- 🔎 Batch scan from a file (`targets.txt`)
- ⚡ Fast, multi-threaded scanner
- 🧾 Logs vulnerable targets and their output to `vuln.txt`
- 💬 Clean, modular codebase

## 📦 Requirements

- Python 3.x
- `requests` module

Install dependencies (if not already installed):

```bash
pip install requests
```

## 📂 Usage

1. Prepare your target list
Create a file named targets.txt and add one target URL per line:
```
http://example.com/vb/
https://target.net/forum/
192.168.1.100:8080/vb/
```

2. Run the scanner:
```
python3 scanner.py
```

3. Check vuln.txt for results:
```
http://victim.com/vb | uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

## ⚙️ Configuration

You can change these settings in the script:

COMMAND: Shell command to execute (default: id)

EXPECTED_OUTPUT: Expected substring to confirm execution (default: uid=)

THREADS: Number of concurrent scans (default: 20)

TARGET_FILE: Input file of domains (default: targets.txt)

OUTPUT_FILE: Output log file (default: vuln.txt)


## ⚠️ Disclaimer

This code is provided for educational and authorized security testing purposes only. Unauthorized use against systems without permission is illegal. The author and contributors are not responsible for misuse or damage caused by this software.

## 🙏 Credits

Original exploit author: EgiX

Python adaptation & batch scanner: ill deed


## 📄 License

MIT License – use responsibly.
File Snapshot

 [4.0K]  /data/pocs/37f0c8e2593973681d86a20240f2646a62490753
├── [1.0K]  LICENSE
├── [2.1K]  README.md
└── [2.3K]  scanner.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →