After 'network' scan is finished, http attacks is using dir_scanner module from Metasploit to check if there is a directory related to one of the popular CMS or HTTP server (like Apache, etc and to prepare other tests).
Case for today's update: if there is a Joomla (found by dir_scanner, and we already know the password for admin from other attack (check_joomla()) we can upload a webshell. Let's do it.
As there is already a module to upload shell to Joomla (you can find it by msfconsole command: search path:joomla) I decided to change my plan and write a module to send a (php)shell to one of the files located on the Joomla wwwroot.
My goal was to rewrite error.php file from default theme.
Add new module to your Metasploit repo and run grabash.py against vulnerable Joomla host (or just check it directly from msfconsole). Results should be similar to those below:
(As you will see, get-admin's-pass and upload-shell attacks are not connected in grabash code. I decided to leave it like that for now. Maybe next time. ;))
Example output:
From the grabash.py log file:
Enjoy ;)
Cheers!
Brak komentarzy:
Prześlij komentarz