Re: [NSE] New script to detect Joomla! Header RCE [2015-8562]

[Johanna Curiel <johannapcuriel () gmail com>]

> > What do you think about the following implementation? If exploit is set
to true then the Joomla/PHP Checks aren't considered and the script tries
to exploit and tell if the server is exploitable. In case headers are
blocked and exploit isn't set true then a debug message saying 'headers
missing, try with exploit set to true to confirm' or similar would appear .

In this case, If server is exploitable but is hiding the information, the
payload will work.

In order to check the different possible PHP versions I was experimenting
with a script like this to parse the PHP version found and compare it to a
table

local response = http.get(host, port, uri, options)
if ( response.status == 200 ) then
–Look for Ubuntu PHP version
for h, v in pairs(response.header) do
vl = v:lower()
if h == “x-powered-by” and string.find(vl, “php/%d+.%d+.%d+”)
then
local versionphp = string.match(vl, “%d+.%d+.%d+”)
stdnse.print_debug(1, versionphp)


Then when I start testing I realised that if the server hided these headers
but was exploitable, the script will be flawed.
Again, this  approach's disadvantage is that is the version is blocked by a
reverse proxy or configuration settings/firewall , even when exploitable we
wont know.

Cheers

Johanna



On Wed, Jan 27, 2016 at 2:55 PM, Gyanendra Mishra <anomaly.the () gmail com>
wrote:

> Hi Johanna,
>
> I had similar thoughts while developing the script. The headers can be
> blocked by the server and in such cases the script would return "safe",
> even though it may be vulnerable, but exploiting and checking by default
> isn't good behavior as well.
>
> What do you think about the following implementation?
>
> If exploit is set to true then the Joomla/PHP Checks aren't considered and
> the script tries to exploit and tell if the server is exploitable. In case
> headers are blocked and exploit isn't set true then a debug message saying
> 'headers missing, try with exploit set to true to confirm' or similar would
> appear .
>
> Regards,
> Gyani
>
>
>
>
>
>
>
>
> ᐧ
>
> On Wed, Jan 27, 2016 at 8:13 PM, Johanna Curiel <johannapcuriel () gmail com>
> wrote:
>
> > Hi Gyanendra
> >
> > Thank you for this awesome work.
> >
> > After taking look of the script, I see many of the recognition work
> > relies on the identifying response headers info and identifying the
> > administrator path console of Jommla.
> >
> > In case this information is hidden or not provided as in the request
> > header, it will not be able to recognise PHP? and if the path has also been
> > blocked (lets say by a firewall) then in that case recognition of  wont be
> > possible at all?
> >
> > Regards
> >
> > Johanna
> >
> > On Tue, Jan 26, 2016 at 6:36 PM, Gyanendra Mishra <anomaly.the () gmail com>
> > wrote:
> >
> > > Hi list,
> > >
> > > #260 on Github called for the development of a script that detects CVE
> > > 2015-8562. This script performs checks for the same and can be used to
> > > optionally exploit the target. I tested this on ubuntu 10.04.1 running
> > > php 5.4.7 and Joomla! 3.4.3. Find the script in the link below.
> > >
> > >
> > >
> > > https://svn.nmap.org/nmap-exp/gyani/scripts/http-vuln-cve2015-8562.nse
> > >
> > >
> > > Cheers,
> > > Gyani
> > > ᐧ
> > >
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > https://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/