Fli
03-21-2017, 10:11 AM
How to install vbulletin vulnerability scanner (scan vB site for exploitable vulnerabilities):
Login Linux (do not have? get a VPS (http://instantcpanelhosting.com/cart.php?gid=4) or install it in Virtualbox) and go to directory where you want to store "vbscan (https://github.com/rezasp/vbscan/)" folder.
Then download vbscan:
git clone https://github.com/rezasp/vbscan.git
git not found? do "apt-get install git" or "yum install git"
Go to its directory:
cd vbscan
Run it:
./vbscan.pl http://yourvbulletinsite.tld
result (sample report):
# ./vbscan.pl https://domain.name
_ _ ____ ___ ___ __ _ _
( \/ )( _ \/ __) / __) /__\ ( \( )
\ / ) _ <\__ \( (__ /(__)\ ) (
\/ (____/(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP VBScan
+---++---==[Version : 0.1.7.1
+---++---==[Update Date : [2016/10/21]
+---++---==[Author : Mohammad Reza Espargham
+---++---==[Website : www.reza.es
--=[Code name : Larry Wall
@OWASP_VBScan , @rezesp , @OWASP
Processing https://domain.name ...
[+] Detecting Vbulletin based Firewall
[++] No known firewall detected
[+] Detecting vBulletin Version
[++] vBulletin 4.2.1
[+] Core Vbulletin Vulnerability
[++] vBulletin CVE-2016-6483 Server Side Request Forgery Security Bypass Vulnerability
EDB : http://www.exploit-db.com/exploits/40225/
http://www.securityfocus.com/bid/92350
http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
[+] vBulletin LICENSE Check
[++] vBulletin LICENSE file : https://domain.name/LICENSE
[+] Full Path Disclosure (FPD)
[++] Full Path Disclosure (FPD) in 'https://domain.name/forumdisplay.php?do[]=[test.dll]' : /home/username/public_html/includes/class_core.php
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] Checking admincp/modcp path
[++] admincp does not exist or renamed
[++] modcp Found
https://domain.name/modcp
[+] Checking upgrade.php to find admincp
[++] upgrade.php not found
[+] Checking validator.php
[++] validator.php is not found
[+] Checking robots.txt existing
[++] robots.txt is found
path : https://domain.name/robots.txt
Interesting path found from robots.txt
https://domain.name/install/
https://domain.name/profile.php
https://domain.name/register.php
https://domain.name/report.php
https://domain.name/
[+] Checking c99 xml shell in admincp/subscriptions.php
[++] c99 shell is found
shell path : https://domain.name/admincp/subscriptions.php?do=api
[+] Finding common backup files name
[++] Backup file is found
Path : https://domain.name/upload.zip
[+] Finding common log files name
[++] error log is not found
[+] Checking config.php.x for disclure config file
[++] Readable config files are not found
[+] Checking faq.php RCE backdoor
[++] Remote Code Execute backdoor not found
[+] Checking vBSEO 3.x - LFI (Local File Inclusion) vulnerability
[++] vbseo.php LFI is not vulnerable
[+] Checking vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability
[++] xperience.php not vulnerable
[+] Checking arcade.php SQLI Vulnerability
[++] arcade.php not found
[+] Checking vBulletin YUI 2.9.0 XSS
[++] uploader.swf is vulnerable
https://domain.name/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert(/XSS/);}//
POC : https://packetstormsecurity.com/files/124746/vBulletin-YUI-2.9.0-Cross-Site-Scripting.html
[+] Checking for html tags status
[++] HTML tag are Disable
[+] Checking Vbulletin 5.x - Remote Code Execution Exploit
[++] decodeArguments is not vulnerable
Your Report : reports/domain.name/
vbscan can not find vBulletin? Try to pause Cloudflare during the scan. Seems that CF blocks these scans, which is good.
Login Linux (do not have? get a VPS (http://instantcpanelhosting.com/cart.php?gid=4) or install it in Virtualbox) and go to directory where you want to store "vbscan (https://github.com/rezasp/vbscan/)" folder.
Then download vbscan:
git clone https://github.com/rezasp/vbscan.git
git not found? do "apt-get install git" or "yum install git"
Go to its directory:
cd vbscan
Run it:
./vbscan.pl http://yourvbulletinsite.tld
result (sample report):
# ./vbscan.pl https://domain.name
_ _ ____ ___ ___ __ _ _
( \/ )( _ \/ __) / __) /__\ ( \( )
\ / ) _ <\__ \( (__ /(__)\ ) (
\/ (____/(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP VBScan
+---++---==[Version : 0.1.7.1
+---++---==[Update Date : [2016/10/21]
+---++---==[Author : Mohammad Reza Espargham
+---++---==[Website : www.reza.es
--=[Code name : Larry Wall
@OWASP_VBScan , @rezesp , @OWASP
Processing https://domain.name ...
[+] Detecting Vbulletin based Firewall
[++] No known firewall detected
[+] Detecting vBulletin Version
[++] vBulletin 4.2.1
[+] Core Vbulletin Vulnerability
[++] vBulletin CVE-2016-6483 Server Side Request Forgery Security Bypass Vulnerability
EDB : http://www.exploit-db.com/exploits/40225/
http://www.securityfocus.com/bid/92350
http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
[+] vBulletin LICENSE Check
[++] vBulletin LICENSE file : https://domain.name/LICENSE
[+] Full Path Disclosure (FPD)
[++] Full Path Disclosure (FPD) in 'https://domain.name/forumdisplay.php?do[]=[test.dll]' : /home/username/public_html/includes/class_core.php
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] Checking admincp/modcp path
[++] admincp does not exist or renamed
[++] modcp Found
https://domain.name/modcp
[+] Checking upgrade.php to find admincp
[++] upgrade.php not found
[+] Checking validator.php
[++] validator.php is not found
[+] Checking robots.txt existing
[++] robots.txt is found
path : https://domain.name/robots.txt
Interesting path found from robots.txt
https://domain.name/install/
https://domain.name/profile.php
https://domain.name/register.php
https://domain.name/report.php
https://domain.name/
[+] Checking c99 xml shell in admincp/subscriptions.php
[++] c99 shell is found
shell path : https://domain.name/admincp/subscriptions.php?do=api
[+] Finding common backup files name
[++] Backup file is found
Path : https://domain.name/upload.zip
[+] Finding common log files name
[++] error log is not found
[+] Checking config.php.x for disclure config file
[++] Readable config files are not found
[+] Checking faq.php RCE backdoor
[++] Remote Code Execute backdoor not found
[+] Checking vBSEO 3.x - LFI (Local File Inclusion) vulnerability
[++] vbseo.php LFI is not vulnerable
[+] Checking vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability
[++] xperience.php not vulnerable
[+] Checking arcade.php SQLI Vulnerability
[++] arcade.php not found
[+] Checking vBulletin YUI 2.9.0 XSS
[++] uploader.swf is vulnerable
https://domain.name/clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert(/XSS/);}//
POC : https://packetstormsecurity.com/files/124746/vBulletin-YUI-2.9.0-Cross-Site-Scripting.html
[+] Checking for html tags status
[++] HTML tag are Disable
[+] Checking Vbulletin 5.x - Remote Code Execution Exploit
[++] decodeArguments is not vulnerable
Your Report : reports/domain.name/
vbscan can not find vBulletin? Try to pause Cloudflare during the scan. Seems that CF blocks these scans, which is good.