SuiteCRM Log File RCE
First time Metasploit Framework contributor mcorybillington has added a new module for SuiteCRM versions
7.11.18 and below. This module takes advantage of the input validation being case sensitive, allowing for an authenticated user to rename the SuiteCRM log file to have an extension of
.pHp. Once changed, the log file can be poisoned with arbitrary php code and executed by sending an HTTP request to the log file. One additional note is that the php code is sanitized, limiting the executable php code.
Cacti Color Filter Authenticated SQL Injection to RCE
Metasploit contributor h00die has added a new module which exploits a SQL injection vulnerability in Cacti
1.2.12 and before. This exploit allows an admin to inject a query into the filter parameter within
color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the
path_php_binary value is then changed within the settings table to a payload, and an update is called to execute the payload.
New module content (2)
- SuiteCRM Log File Remote Code Execution by M. Cory Billington, which exploits CVE-2020-28328 - This adds an exploit that targets SuiteCRM versions
7.11.18and below. An authenticated user can rename the SuiteCRM log file to have an extension of
.pHp. The log file can then be poisoned with arbitrary php code by modifying user account information, such as the user's last name. Authenticated code execution is then achieved by requesting the log file.
- Cacti color filter authenticated SQLi to RCE by Leonardo Paiva, Mayfly277, and h00die, which exploits CVE-2020-14295 - This adds a module that exploits an authenticated SQL injection vulnerability in Cacti versions
1.2.12and below. The module optionally saves Cacti creds and uses stacked queries to change the
path_php_binaryvalue to execute a payload and get code execution on the server.
Enhancements and features
- #15251 from pingport80 - This adds support for obtaining a stat object from the Post API via shell sessions when the
statcommand is available.
- #15260 from pingport80 - This adds a
#pidofmethod that works with either Meterpreter or shell sessions and updates the
#get_processesmethod to failover to command execution if it fails for some reason.
- #15263 from adfoster-r7 - Adds a
-p flagto the analyze command, allowing users to specify a payload that should be considered for use with any suggested exploit modules. Output will inform the user if the specified payload can be used with suggested payloads.
- #15194 from agalway-r7 - Fixes a bug where msfconsole would crash when connected to a remote dataservice and tab completing possible RPORT values
- #15289 from zeroSteiner - Corrects a command mapping for
meterpreterAPI requirements in the
- #15291 from gwillcox-r7 - Fixes a crash within the FortiOS SSL VPN Credential Leak module when run against a target which is not running FortiOS.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).