The access control in vBulletin versions below 5.6.1 are vulnerable to SQL injection as described in CVE-2020-12720. This tool has been used successfully on vBulletin version 5.6.1 on the Ubuntu Linux distribution.
vBulletin SQL injection tool
This tool uses the getIndexableContent vulnerability to reset the administrator’s password and it then uses the administrators login information to achieve remote code execution on the target.
Download this tool