adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Minor update

Browse Source
This commit is contained in:
Fabio Cogno
2019-04-15 00:08:10 +02:00
parent 20a8324d8e
commit deaa66d694
2 changed files with 16 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md
+15 -14
View File
@@ -1,29 +1,30 @@
## Description
This module exploits a PHP unserialize() in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability.
This module exploits a PHP (unserialize()) in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability.
The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method make it possible to exploit the unserialize function when passing untrusted values in "data" parameter.
Tested on Pimcore 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.1, 5.6.0, 5.5.4, 5.5.3, 5.5.2, 5.5.1, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0 with the Symfony unserialize payload
Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.6.6 with the Symfony unserialize payload.
Tested on Pimcore 4.6.5, 4.6.4, 4.6.3, 4.6.2, 4.6.1, 4.6.0, 4.5.0, 4.4.3, 4.4.2, 4.4.1, 4.4.0, 4.3.1, 4.3.0, 4.2.0, 4.1.3, 4.1.2, 4.1.1, 4.1.0, 4.0.1, 4.0.0 with the Zend unserialize payload
Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.
## Vulnerable Application
Affecting Pimcore, version 5.x <= 5.6.6 and 4.x
Affecting Pimcore, version 5.x <= 5.6.6 and 4.x.
## Verification Steps
1. Setting up a working installation of Pimcore 4.x or 5.x
2. Start `msfconsole`
3. `use exploit/multi/http/pimcore_unserialize_rce`
4. `set RHOST <IP>`
5. `set USERNAME <USERNAME>`
6. `set PASSWORD <PASSWORD>`
7. `check`
8. You should see `The target service is running, but could not be validated.`
9. `exploit`
10. You should get a meterpreter session!
Set up a default installation of Pimcore 4.x or 5.x (e.g.: `composer create-project pimcore/skeleton my-project` for the 5.x branch) as described on [Pimcore Installation documentation](https://pimcore.com/docs/5.x/Development_Documentation/Getting_Started/Installation.html) then:
1. Start `msfconsole`
2. `use exploit/multi/http/pimcore_unserialize_rce`
3. `set RHOST <IP>`
4. `set USERNAME <USERNAME>`
5. `set PASSWORD <PASSWORD>`
6. `check`
7. You should see `The target service is running, but could not be validated.`
8. `exploit`
9. You should get a meterpreter session!
## Options