First time Metasploit Framework contributor mcorybillington has added a new module for SuiteCRM versions 7.11.18
and below. This module takes advantage of the input validation being case sensitive, allowing for an authenticated user to rename the SuiteCRM log file to have an extension of .pHp
. Once changed, the log file can be poisoned with arbitrary php code and executed by sending an HTTP request to the log file. One additional note is that the php code is sanitized, limiting the executable php code.
Metasploit contributor h00die has added a new module which exploits a SQL injection vulnerability in Cacti 1.2.12
and before. This exploit allows an admin to inject a query into the filter parameter within color.php
to pull arbitrary values as well as conduct stacked queries. With stacked queries, the path_php_binary
value is then changed within the settings table to a payload, and an update is called to execute the payload.
7.11.18
and below. An authenticated user can rename the SuiteCRM log file to have an extension of .pHp
. The log file can then be poisoned with arbitrary php code by modifying user account information, such as the user’s last name. Authenticated code execution is then achieved by requesting the log file.1.2.12
and below. The module optionally saves Cacti creds and uses stacked queries to change the path_php_binary
value to execute a payload and get code execution on the server.stat
command is available.#pidof
method that works with either Meterpreter or shell sessions and updates the #get_processes
method to failover to command execution if it fails for some reason.-p flag
to the analyze command, allowing users to specify a payload that should be considered for use with any suggested exploit modules. Output will inform the user if the specified payload can be used with suggested payloads.meterpreter
API requirements in the Msf::Post::Windows::MSSQL
mixin.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).