metasploit-framework/modules/auxiliary/scanner/http/joomla_plugins.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to
  # Joomscan and various MSF modules for code examples.
  def initialize
    super(
      'Name'        => 'Joomla Plugins Scanner',
      'Description' => %q{
          This module scans a Joomla install for plugins and potential
        vulnerabilities.
      },
      'Author'      => [ 'newpid0' ],
      'License'     => MSF_LICENSE
    )
    register_options(
      [
        OptString.new('TARGETURI', [ true,  "The path to the Joomla install", '/']),
        OptPath.new('PLUGINS',   [ true, "Path to list of plugins to enumerate", File.join(Msf::Config.data_directory, "wordlists", "joomla.txt")])
      ], self.class)
  end

  def run_host(ip)
    tpath = normalize_uri(target_uri.path)
    if tpath[-1,1] != '/'
      tpath += '/'
    end

    vprint_status("Checking for interesting plugins")
    res = send_request_cgi({
      'uri' => tpath,
      'method' => 'GET'
    })
    return if res.nil?

    res.body.gsub!(/[\r|\n]/, ' ')
    File.open(datastore['PLUGINS'], 'rb').each_line do |line|
      papp = line.chomp
      plugin_search(tpath, papp, ip, res.body.size)
    end
  end

  def plugin_search(tpath, papp, ip, osize)
    res = send_request_cgi({
      'uri' => "#{tpath}#{papp}",
      'method' => 'GET'
    })
    return if res.nil?

    res.body.gsub!(/[\r|\n]/, ' ')
    nsize = res.body.size

    if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize)
      print_good("Plugin: #{tpath}#{papp} ")
      report_note(
        :host  => ip,
        :port  => rport,
        :proto => 'http',
        :ntype => 'joomla_plugin',
        :data  => "#{tpath}#{papp}",
        :update => :unique_data
      )

      if (papp =~/passwd/ and res.body =~/root/)
        print_good("Vulnerability: Potential LFI")
        report_web_vuln(
          :host	=> ip,
          :port	=> rport,
          :vhost  => vhost,
          :ssl    => ssl,
          :path	=> tpath,
          :method => "GET",
          :pname  => "",
          :proof  => "Response with code #{res.code} contains the 'root' signature",
          :risk   => 1,
          :confidence   => 10,
          :category     => 'Local File Inclusion',
          :description  => "Joomla: Potential LFI at #{tpath}#{papp}",
          :name   => 'Local File Inclusion'
        )
      elsif (res.body =~/SQL syntax/)
        print_good("Vulnerability: Potential SQL Injection")
        report_web_vuln(
          :host	=> ip,
          :port	=> rport,
          :vhost  => vhost,
          :ssl    => ssl,
          :path	=> tpath,
          :method => "GET",
          :pname  => "",
          :proof  => "Response with code #{res.code} contains the 'SQL syntax' signature",
          :risk   => 1,
          :confidence   => 10,
          :category     => 'SQL Injection',
          :description  => "Joomla: Potential SQLI at #{tpath}#{papp}",
          :name   => 'SQL Injection'
        )
      elsif (papp =~/>alert/ and res.body =~/>alert/)
        print_good("Vulnerability: Potential XSS")
        report_web_vuln(
          :host	=> ip,
          :port	=> rport,
          :vhost  => vhost,
          :ssl    => ssl,
          :path	=> tpath,
          :method => "GET",
          :pname  => "",
          :proof  => "Response with code #{res.code} contains the '>alert' signature",
          :risk   => 1,
          :confidence   => 10,
          :category     => 'Cross Site Scripting',
          :description  => "Joomla: Potential XSS at #{tpath}#{papp}",
          :name   => 'Cross Site Scripting'
        )
      elsif (papp =~/com_/)
        vars = papp.split('_')
        pages = vars[1].gsub('/','')
        res1 = send_request_cgi({
          'uri' => "#{tpath}index.php?option=com_#{pages}",
          'method' => 'GET'
        })
        if (res1.code == 200)
          print_good("Page: #{tpath}index.php?option=com_#{pages}")
          report_note(
            :host  => ip,
            :port  => datastore['RPORT'],
            :proto => 'http',
            :ntype => 'joomla_page',
            :data  => "Page: #{tpath}index.php?option=com_#{pages}",
            :update => :unique_data
          )
        else
          vprint_error("Page: #{tpath}index.php?option=com_#{pages} gave a #{res1.code} response")
        end
      end
    elsif (res.code == 403)
      if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
        vprint_status("#{ip} ip access to #{ip} (SSL Required)")
      elsif (res.body =~ /has a list of IP addresses that are not allowed/)
        vprint_status("#{ip} restricted access by IP")
      elsif (res.body =~ /SSL client certificate is required/)
        vprint_status("#{ip} requires a SSL client certificate")
      else
        vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}")
      end
    end
    return

    rescue OpenSSL::SSL::SSLError
      vprint_error("SSL error")
      return
    rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
      vprint_error("Unable to Connect")
      return
    rescue ::Timeout::Error, ::Errno::EPIPE
      vprint_error("Timeout error")
      return
  end

end
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00			`##`
			`require 'msf/core'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to`
			`# Joomscan and various MSF modules for code examples.`
			`def initialize`
			`super(`
			`'Name' => 'Joomla Plugins Scanner',`
			`'Description' => %q{`
			`This module scans a Joomla install for plugins and potential`
			`vulnerabilities.`
			`},`
			`'Author' => [ 'newpid0' ],`
			`'License' => MSF_LICENSE`
			`)`
			`register_options(`
			`[`
			`OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']),`
Find and replace 2013-09-26 19:34:48 +00:00			`OptPath.new('PLUGINS', [ true, "Path to list of plugins to enumerate", File.join(Msf::Config.data_directory, "wordlists", "joomla.txt")])`
Retab modules 2013-08-30 21:28:54 +00:00			`], self.class)`
			`end`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run_host(ip)`
			`tpath = normalize_uri(target_uri.path)`
			`if tpath[-1,1] != '/'`
			`tpath += '/'`
			`end`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`vprint_status("Checking for interesting plugins")`
Retab modules 2013-08-30 21:28:54 +00:00			`res = send_request_cgi({`
			`'uri' => tpath,`
			`'method' => 'GET'`
			`})`
			`return if res.nil?`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res.body.gsub!(/[\r\|\n]/, ' ')`
			`File.open(datastore['PLUGINS'], 'rb').each_line do \|line\|`
			`papp = line.chomp`
			`plugin_search(tpath, papp, ip, res.body.size)`
			`end`
			`end`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def plugin_search(tpath, papp, ip, osize)`
			`res = send_request_cgi({`
			`'uri' => "#{tpath}#{papp}",`
			`'method' => 'GET'`
			`})`
			`return if res.nil?`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res.body.gsub!(/[\r\|\n]/, ' ')`
			`nsize = res.body.size`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize)`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`print_good("Plugin: #{tpath}#{papp} ")`
Retab modules 2013-08-30 21:28:54 +00:00			`report_note(`
			`:host => ip,`
			`:port => rport,`
			`:proto => 'http',`
			`:ntype => 'joomla_plugin',`
			`:data => "#{tpath}#{papp}",`
			`:update => :unique_data`
			`)`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if (papp =~/passwd/ and res.body =~/root/)`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`print_good("Vulnerability: Potential LFI")`
Retab modules 2013-08-30 21:28:54 +00:00			`report_web_vuln(`
			`:host => ip,`
			`:port => rport,`
			`:vhost => vhost,`
			`:ssl => ssl,`
			`:path => tpath,`
			`:method => "GET",`
			`:pname => "",`
			`:proof => "Response with code #{res.code} contains the 'root' signature",`
			`:risk => 1,`
			`:confidence => 10,`
			`:category => 'Local File Inclusion',`
			`:description => "Joomla: Potential LFI at #{tpath}#{papp}",`
			`:name => 'Local File Inclusion'`
			`)`
			`elsif (res.body =~/SQL syntax/)`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`print_good("Vulnerability: Potential SQL Injection")`
Retab modules 2013-08-30 21:28:54 +00:00			`report_web_vuln(`
			`:host => ip,`
			`:port => rport,`
			`:vhost => vhost,`
			`:ssl => ssl,`
			`:path => tpath,`
			`:method => "GET",`
			`:pname => "",`
			`:proof => "Response with code #{res.code} contains the 'SQL syntax' signature",`
			`:risk => 1,`
			`:confidence => 10,`
			`:category => 'SQL Injection',`
			`:description => "Joomla: Potential SQLI at #{tpath}#{papp}",`
			`:name => 'SQL Injection'`
			`)`
			`elsif (papp =~/>alert/ and res.body =~/>alert/)`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`print_good("Vulnerability: Potential XSS")`
Retab modules 2013-08-30 21:28:54 +00:00			`report_web_vuln(`
			`:host => ip,`
			`:port => rport,`
			`:vhost => vhost,`
			`:ssl => ssl,`
			`:path => tpath,`
			`:method => "GET",`
			`:pname => "",`
			`:proof => "Response with code #{res.code} contains the '>alert' signature",`
			`:risk => 1,`
			`:confidence => 10,`
			`:category => 'Cross Site Scripting',`
			`:description => "Joomla: Potential XSS at #{tpath}#{papp}",`
			`:name => 'Cross Site Scripting'`
			`)`
			`elsif (papp =~/com_/)`
			`vars = papp.split('_')`
			`pages = vars[1].gsub('/','')`
			`res1 = send_request_cgi({`
			`'uri' => "#{tpath}index.php?option=com_#{pages}",`
			`'method' => 'GET'`
			`})`
			`if (res1.code == 200)`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`print_good("Page: #{tpath}index.php?option=com_#{pages}")`
Retab modules 2013-08-30 21:28:54 +00:00			`report_note(`
			`:host => ip,`
			`:port => datastore['RPORT'],`
			`:proto => 'http',`
			`:ntype => 'joomla_page',`
			`:data => "Page: #{tpath}index.php?option=com_#{pages}",`
			`:update => :unique_data`
			`)`
			`else`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`vprint_error("Page: #{tpath}index.php?option=com_#{pages} gave a #{res1.code} response")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`
			`elsif (res.code == 403)`
			`if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)`
			`vprint_status("#{ip} ip access to #{ip} (SSL Required)")`
			`elsif (res.body =~ /has a list of IP addresses that are not allowed/)`
			`vprint_status("#{ip} restricted access by IP")`
			`elsif (res.body =~ /SSL client certificate is required/)`
			`vprint_status("#{ip} requires a SSL client certificate")`
			`else`
			`vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}")`
			`end`
			`end`
			`return`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`rescue OpenSSL::SSL::SSLError`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`vprint_error("SSL error")`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`vprint_error("Unable to Connect")`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`vprint_error("Timeout error")`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`end`
Proposal for joomla-scanner 2013-01-25 19:44:49 +00:00
			`end`