Land rapid7#8194, piwik_superuser_plugin_upload update

wvu · wvu · commit 04740bd2e63c · 2017-04-09T22:24:10.000-05:00
diff --git a/documentation/modules/exploit/unix/webapp/piwik_superuser_plugin_upload.md b/documentation/modules/exploit/unix/webapp/piwik_superuser_plugin_upload.md
@@ -5,6 +5,8 @@ Older builds are also available from [builds.piwik.org](https://builds.piwik.org
 
 This module was tested with Piwik versions 2.14.0, 2.16.0, 2.17.1 and 3.0.1
 
+Piwik disabled custom plugin uploads in version 3.0.3. From version 3.0.3 onwards you have to enable custom plugin uploads via the config file.
+
 ## Verification Steps
 
 ### Install Piwik (Debian/Ubuntu)
diff --git a/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb b/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb
@@ -20,7 +20,9 @@ def initialize(info = {})
           This module will generate a plugin, pack the payload into it
           and upload it to a server running Piwik. Superuser Credentials are
           required to run this module. This module does not work against Piwik 1
-          as there is no option to upload custom plugins.
+          as there is no option to upload custom plugins. Piwik disabled
+          custom plugin uploads in version 3.0.3. From version 3.0.3 onwards you
+          have to enable custom plugin uploads via the config file.
           Tested with Piwik 2.14.0, 2.16.0, 2.17.1 and 3.0.1.
         },
       'License'         => MSF_LICENSE,
@@ -30,7 +32,9 @@ def initialize(info = {})
         ],
       'References'      =>
         [
-          [ 'URL', 'https://firefart.at/post/turning_piwik_superuser_creds_into_rce/' ]
+          [ 'URL', 'https://firefart.at/post/turning_piwik_superuser_creds_into_rce/' ],
+          [ 'URL', 'https://piwik.org/faq/plugins/faq_21/' ],
+          [ 'URL', 'https://piwik.org/changelog/piwik-3-0-3/' ]
         ],
       'DisclosureDate'  => 'Feb 05 2017',
       'Platform'        => 'php',
@@ -314,6 +318,10 @@ def exploit
 
     upload_nonce = nil
     if res && res.code == 200
+      if res.body =~ /Plugin upload is disabled in config file/
+        fail_with(Failure::NotVulnerable, 'Custom plugin uploads are disabled')
+      end
+
       match = res.body.match(/<form.+id="uploadPluginForm".+nonce=(\w+)/m)
       if match
         upload_nonce = match[1]
@@ -362,4 +370,3 @@ def exploit
     }, 5)
   end
 end
-
