General code review and corrections
parent
0b61d28e0e
commit
5cfe58e8d5
|
@ -20,9 +20,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'Joomla Scanner',
|
'Name' => 'Joomla Scanner',
|
||||||
'Version' => '$Revision: 14774 $',
|
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module scans the Joomla install for information and potential vulnerabilites.
|
This module scans a Joomla install for information and potential vulnerabilites.
|
||||||
},
|
},
|
||||||
'Author' => [ 'f8lerror' ],
|
'Author' => [ 'f8lerror' ],
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
|
@ -40,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
def osfingerprint(response)
|
def osfingerprint (response)
|
||||||
if(response.headers.has_key?('Server') )
|
if(response.headers.has_key?('Server') )
|
||||||
if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/)
|
if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/)
|
||||||
os = "Windows"
|
os = "Windows"
|
||||||
|
@ -51,8 +50,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return os
|
return os
|
||||||
end
|
end
|
||||||
def fingerprint(response, app)
|
|
||||||
|
def fingerprint (response, app)
|
||||||
|
|
||||||
if(response.body =~ /<version.*\/?>(.+)<\/version\/?>/i)
|
if(response.body =~ /<version.*\/?>(.+)<\/version\/?>/i)
|
||||||
v = $1
|
v = $1
|
||||||
|
@ -87,7 +87,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
return out
|
return out
|
||||||
end
|
end
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host (ip)
|
||||||
tpath = datastore['PATH']
|
tpath = datastore['PATH']
|
||||||
if tpath[-1,1] != '/'
|
if tpath[-1,1] != '/'
|
||||||
tpath += '/'
|
tpath += '/'
|
||||||
|
@ -102,12 +102,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
apps.each do |app|
|
apps.each do |app|
|
||||||
break if check_app(tpath,app,ip)
|
break if check_app(tpath,app,ip)
|
||||||
end
|
end
|
||||||
print_status("Scanning for interesting pages")
|
print_status("Scanning #{ip} for interesting pages")
|
||||||
iapps.each do |iapp|
|
iapps.each do |iapp|
|
||||||
scan_pages(tpath,iapp,ip)
|
scan_pages(tpath,iapp,ip)
|
||||||
end
|
end
|
||||||
if datastore['ENUMERATE']
|
if datastore['ENUMERATE']
|
||||||
print_status("Scanning for plugins")
|
print_status("Scanning #{ip} for plugins")
|
||||||
bres = send_request_cgi({
|
bres = send_request_cgi({
|
||||||
'uri' => tpath,
|
'uri' => tpath,
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
|
@ -118,12 +118,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
papp = bapp.chomp
|
papp = bapp.chomp
|
||||||
plugin_search(tpath,papp,ip,bres)
|
plugin_search(tpath,papp,ip,bres)
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
def check_app(tpath, app, ip)
|
|
||||||
|
end
|
||||||
|
|
||||||
|
def check_app (tpath, app, ip)
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => tpath+app,
|
'uri' => "#{datastore['PATH']}" << app,
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
}, 5)
|
}, 5)
|
||||||
return if not res or not res.body or not res.code
|
return if not res or not res.body or not res.code
|
||||||
|
@ -159,13 +160,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
rescue OpenSSL::SSL::SSLError
|
rescue OpenSSL::SSL::SSLError
|
||||||
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
|
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
|
||||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||||
end
|
end
|
||||||
def scan_pages(tpath,iapp, ip)
|
|
||||||
|
def scan_pages (tpath, iapp, ip)
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => tpath+iapp,
|
'uri' => "#{datastore['PATH']}" << iapp,
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
}, 5)
|
}, 5)
|
||||||
return if not res or not res.body or not res.code
|
return if not res or not res.body or not res.code
|
||||||
|
@ -201,13 +203,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
|
print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
rescue OpenSSL::SSL::SSLError
|
rescue OpenSSL::SSL::SSLError
|
||||||
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
|
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
|
||||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||||
end
|
end
|
||||||
def plugin_search(tpath,papp, ip, bres)
|
|
||||||
|
def plugin_search (tpath, papp, ip, bres)
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => tpath+papp,
|
'uri' => "#{datastore['PATH']}" << papp,
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
}, 5)
|
}, 5)
|
||||||
return if not res or not res.body or not res.code
|
return if not res or not res.body or not res.code
|
||||||
|
@ -217,30 +220,32 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
if (res.code.to_i == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize)
|
if (res.code.to_i == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize)
|
||||||
print_good("Found Plugin: #{papp} ")
|
print_good("Found Plugin: #{papp} ")
|
||||||
if (papp =~/passwd/ and res.body !~/root/)
|
if (papp =~/passwd/ and res.body !~/root/)
|
||||||
print_error("\tPasswd not found")
|
print_error("Passwd not found")
|
||||||
elsif(papp =~/passwd/ and res.body =~/root/)
|
elsif(papp =~/passwd/ and res.body =~/root/)
|
||||||
print_good("\tPasswd file found in response")
|
print_good("Passwd file found in response")
|
||||||
elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/)
|
elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/)
|
||||||
print_good("\tPossible SQL Injection")
|
print_good("Possible SQL Injection")
|
||||||
elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/)
|
elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/)
|
||||||
print_error("\tUnable to identify SQL injection")
|
print_error("Unable to identify SQL injection")
|
||||||
elsif(papp =~/>alert/ and res.body !~/>alert/)
|
elsif(papp =~/>alert/ and res.body !~/>alert/)
|
||||||
print_error("\tNo XSS")
|
print_error("No XSS")
|
||||||
elsif(papp =~/>alert/ and res.body =~/>alert/)
|
elsif(papp =~/>alert/ and res.body =~/>alert/)
|
||||||
print_good("\tPossible XSS")
|
print_good("Possible XSS")
|
||||||
elsif(res.body =~/SQL syntax/ )
|
elsif(res.body =~/SQL syntax/ )
|
||||||
print_error("\tPossible SQL Injection")
|
print_good("Possible SQL Injection")
|
||||||
elsif(papp =~/com_/)
|
elsif(papp =~/com_/)
|
||||||
blah = papp.split('_')
|
vars = papp.split('_')
|
||||||
blah1 = blah[1].gsub('/','')
|
pages = vars[1].gsub('/','')
|
||||||
res1 = send_request_cgi({
|
res1 = send_request_cgi({
|
||||||
'uri' => tpath+"index.php?option=com_#{blah1}",
|
'uri' => "#{datastore['PATH']}"<<"index.php?option=com_#{pages}",
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
}, 5)
|
}, 5)
|
||||||
if (res1.code.to_i == 200)
|
if (res1.code.to_i == 200)
|
||||||
print_status("\tFound_page: index.php?option=com_#{blah1}")
|
print_good("Found Page: index.php?option=com_#{pages}")
|
||||||
end
|
else
|
||||||
|
print_error("#{datastore['PATH']}"<<"index.php?option=com_#{pages} gave a #{res1.code.to_s} response")
|
||||||
end
|
end
|
||||||
|
end
|
||||||
report_note(
|
report_note(
|
||||||
:host => ip,
|
:host => ip,
|
||||||
:port => datastore['RPORT'],
|
:port => datastore['RPORT'],
|
||||||
|
@ -257,12 +262,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_status("#{ip} requires a SSL client certificate")
|
print_status("#{ip} requires a SSL client certificate")
|
||||||
else
|
else
|
||||||
print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
|
print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
|
||||||
rescue OpenSSL::SSL::SSLError
|
rescue OpenSSL::SSL::SSLError
|
||||||
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
|
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
|
||||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue