2020-01-20 21:26:59 -05:00
|
|
|
## Vulnerable Application
|
2016-10-14 12:44:17 -05:00
|
|
|
|
|
|
|
|
The 'pineapple_bypass_cmdinject' exploit attacks a weak check for
|
2016-10-14 13:01:51 -05:00
|
|
|
pre-authorized CSS files, which allows the attacker to bypass
|
|
|
|
|
authentication. The exploit then relies on the anti-CSRF vulnerability
|
|
|
|
|
(CVE-2015-4624) to obtain command injection.
|
2016-10-14 12:44:17 -05:00
|
|
|
|
|
|
|
|
This exploit uses a utility function in
|
|
|
|
|
/components/system/configuration/functions.php to execute commands once
|
|
|
|
|
authorization has been bypassed.
|
|
|
|
|
|
2020-01-16 10:41:12 -05:00
|
|
|
## Verification Steps
|
2016-10-14 12:44:17 -05:00
|
|
|
|
|
|
|
|
This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
|
|
|
|
|
default options are generally effective due to having a set state after being
|
|
|
|
|
flashed. You will need to be connected to the WiFi pineapple network (e.g. via
|
|
|
|
|
WiFi or ethernet).
|
|
|
|
|
|
|
|
|
|
Assuming the above 2.3 firmware is installed, this exploit should always work.
|
|
|
|
|
If it does not, try it again. It should always work as long as the pineapple is
|
|
|
|
|
in its default configuration.
|
