Metasploit mailing list archives
Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE)
From: YGN Ethical Hacker Group <lists () yehg net>
Date: Fri, 3 Jun 2011 09:59:48 +0800
That's Excellent! On Tue, May 31, 2011 at 8:54 PM, GulfTech Security Research <security () gulftech org> wrote:
Hi, I ended up breaking this particular exploit into two parts in order to better fit the modular nature of the MSF framework, as suggested to me by the devs. The result is an auxiliary module that will gather credentials and store them to the MSF notes database, and a RCE module used to escalate admin credentials to shell level access. joomla_filter_order_aux.rb https://docs.google.com/leaf?id=0B5oxcQ53hliTYTFlZmE0ZWItYjdkMC00OTM0LWJlNWYtMTM0OThhYjVjYjZk&hl=en_US joomla_16_admin_exec.rb https://docs.google.com/leaf?id=0B5oxcQ53hliTM2Y5NWRhNzYtMmRjZi00MmQzLWJmMzUtM2Y5NzU4YjcyMWVi&hl=en_US The original exploit works just fine, but some people may prefer it being split this way since the joomla_16_admin_exec.rb can be very useful by itself whenever an attacker has valid admin credentials in their possession. Hope this helps. Regards, ~James -- James Bercegay GulfTech Security Research http://www.gulftech.org/ On Sat, May 28, 2011 at 11:37 PM, YGN Ethical Hacker Group <lists () yehg net> wrote:Not sure whether this has been submitted or not. James from GulfTech Research and Development coded joomla_filter_order.rb that exploits SQL injection (ref: http://packetstormsecurity.org/files/view/99318/joomla160-sql.txt) in Joomla! 1.6.0 version. The exploit leverages SQL Injection to gain administrator hash. From that, it attempts to upload PHP meterpreter shell using the name of com_joomla component. http://www.gulftech.org/downloads https://docs.google.com/leaf?id=0B5oxcQ53hliTNmZlNGJmODEtNmQ3MC00YWI2LThmMTAtZjUzMGU0OTcxOTNh&hl=en _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) YGN Ethical Hacker Group (May 28)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) Jeffs (May 29)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) HD Moore (May 29)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) GulfTech Security Research (May 31)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) YGN Ethical Hacker Group (Jun 02)
- joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) Jeffs (Jun 03)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) GulfTech Security Research (Jun 03)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) Jeffs (May 29)