Technique to exploit Web security vulnerabilities on Metasploit Framework (P3)

Tram Ho

Continuing unfinished knowledge in part 2 . Today we will continue to work together to write a simple exploit code on Metasploit Framework.

7. Script to exploit Path traversal vulnerability in CMS Voyager Laravel

Since the goal is to write simple exploit code, the initial selection of the testing platform is quite important. We try to choose the vulnerabilities that are easy to exploit, the shortest path to exploit and the least laborious. Here I choose Path traversal vulnerability in CMS Voyager Laravel because it fully meets the above requirements. The level of exploitation is easy as well as it is easy to visualize the effectiveness of the code. This vulnerability was found by a colleague and publicized here

7.1 Set up the test environment

Voyager is an open source web application built on PHP’s Laravel Framework. Voyager is open source and currently in development at . The application allows users to create a system administration page quickly and easily.

To be able to install Voyager, we need to install PHP and Laravel first. The following section shows how to install PHP and Laravel on a Centos 7.0 server environment

First use the following command to install the Apache web server:

After the installation is complete, start Apache and let Apache start with the system:

Set the rules for the firewall so that Apache can work:

Mysql database management system installation:

Install PHP 7.2

Install “composer” and “Laravel”:

After you have built the necessary environment on the server. We proceed to install Voyager version 1.3.0:

Create a database with Mysql then edit the file “.env” at the directory path: “/var/www/html/voyager/.env” and add the following configuration parameters:

Start the process of installing and configuring Voyager automatically:

After performing the above steps, Voyager was successfully installed on the server. Use the following command to be able to run the service. Add the parameter “–host =” so that Voyager is accessible from external ip addresses.

By default Voyager will run on port 8000. You can use parameter “–port = [port]” to change the port that the Voyager service listens to.

After running the program, access http: // ip: 8000 / admin to access Voyager’s admin page:

7.2 Exploiting Path traversal vulnerability in CMS Voyager Laravel with “manual”

Let’s take a look at the source code of the API:

In applications built on Voyager there is an API ” GET / admin / voyager-assets? Path = [….] “. With the parameter “path” is the path to the resource files such as images, javascript, files … of the application.

The code above tried to counter “Path traversal” by removing the strings “../” and “./” but obviously not thoroughly. An attacker can easily bypass using the string “…..% 2F% 2F% 2F”. From there you can exploit “Path traversal” and read the system files on the server:

The above vulnerability has been fixed since versions> 1.3.0. Details about the patch here :

7.3 Exploiting Path traversal vulnerability in CMS Voyager Laravel using Metasploit Framework

First, you need to declare the information about the vulnerability and necessary parameters:

The following two statements are used to declare two parameters required for an extraction. “FILEPATH” is the absolute path of the file on the server. “DEPTH” is the parameter that determines the rank of the current Voyager directory. The default is set to 10:

Next is the code used to send requests to the server and exploit the vulnerability:

Since the vulnerability does not require authentication and the testing platform does not use minimum security methods, it is relatively easy to write exploit code.

7.3.1 Use of exploit codes

Save the exploit code to the Metasploit Framework installation directory ” /usr/share/metasploit-framework/modules/exploits/myexploits/voyager.rb “. Then start Voyager. Set the required parameters for the extraction:

After extraction, Metasploit Framework will return the path to save the file. Use the cat command to view the file’s contents:

8. Summary

Through here, we have successfully built a simple exploit code on Metasploit Framework. In the next part, I will present more difficult mining codes, longer and more complex mining paths. Thank you all for reading, see you in part 4.

References :

Thank to doandinhlinh

Share the news now

Source : Viblo