##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'MyBB Database Fingerprint',
'Description' => %q{
This module checks if MyBB is running behind an URL. Also uses a malformed query to
force an error and fingerprint the backend database used by MyBB on version 1.6.12
and prior.
},
'Author' =>
[
#http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812
'Arthur Karmanovskii <fnsnic[at]gmail.com>' # Discovery and Metasploit Module
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2014-02-13'))
register_options(
[
OptString.new('TARGETURI', [ true, "MyBB forum directory path", '/forum'])
])
end
def check
begin
uri = normalize_uri(target_uri.path, 'index.php')
res = send_request_cgi(
{
'method' => 'GET',
'uri' => uri,
'vars_get' => {
'intcheck' => 1
}
})
if res.nil? || res.code != 200
return Exploit::CheckCode::Unknown
end
# Check PhP
php_version = res['X-Powered-By']
if php_version
php_version = "#{php_version}"
else
php_version = "PHP version unknown"
end
# Check Web-Server
web_server = res['Server']
if web_server
web_server = "#{web_server}"
else
web_server = "unknown web server"
end
# Check forum MyBB
if res.body.match("MYBB")
print_good("MyBB forum found running on #{web_server} / #{php_version}")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
rescue
return Exploit::CheckCode::Unknown
end
end
def run
print_status("Checking MyBB...")
unless check == Exploit::CheckCode::Detected
print_error("MyBB not found")
return
end
print_status("Checking database...")
uri = normalize_uri(target_uri.path, 'memberlist.php')
response = send_request_cgi(
{
'method' => 'GET',
'uri' => uri,
'vars_get' => {
'letter' => -1
}
})
if response.nil?
print_error("Timeout...")
return
end
# Resolve response
if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/)
print_good("Running PostgreSQL Database")
elsif response.body.match(/General error\: 1 no such function\: REGEXP/)
print_good("Running SQLite Database")
else
print_status("Running MySQL or unknown database")
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation