-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Mida Solutions eFramework ajaxreq.php Command Injection #14074
Add Mida Solutions eFramework ajaxreq.php Command Injection #14074
Conversation
@bcoles Can you please update your PR description? A blank PR description isn't very helpful for understanding whats going on here, and we tend to close issues with blank PR descriptions. Also for future reference, it would be helpful if you could include a link to where one can download the software. I managed to find a working link at https://www.dropbox.com/s/p3ivbhn3y4xvrpp/eFramework-C7-2.9.0.ova?dl=0 but I'm not sure if this is the official software or not. |
The `ajaxreq.php` file allows unauthenticated users to inject | ||
arbitrary commands in the `PARAM` parameter to be executed as the | ||
apache user. This user is permitted to execute any command as root | ||
using sudo without providing a password, resulting in privileged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by using the sudo
command without providing a password -> This would read better in my opinion and would reflect the fact that sudo
is a command more appropriately within this paragraph.
documentation/modules/exploit/linux/http/mida_solutions_eframework_ajaxreq_rce.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/mida_solutions_eframework_ajaxreq_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/mida_solutions_eframework_ajaxreq_rce.rb
Outdated
Show resolved
Hide resolved
Hey @bcoles, that link is not working for me. Is there another method you went through to get this software? If a trial is sufficient, I can do that. Thanks! |
Code and docs lgtm. Tested:
|
Release NotesNew module |
Vulnerable Application
This module exploits a command injection vulnerability in
Mida Solutions eFramework
version 2.9.0 and prior.
The
ajaxreq.php
file allows unauthenticated users to injectarbitrary commands in the
PARAM
parameter to be executed asthe apache user. The sudo configuration permits the apache user
to execute any command as root without providing a password,
resulting in privileged command execution as root.
This module has been successfully tested on Mida Solutions
eFramework-C7-2.9.0 virtual appliance.
Download:
http://ova-efw.midasolutions.com/
Verification Steps
use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce
set RHOSTS [IP]
set payload [payload]
set LHOST [IP]
exploit
Options
TARGETURI
Base path to eFramework (Default:
/
)Scenarios