Vulnerability & Exploit Database

Back to search

Tuleap 9.6 Second-Order PHP Object Injection

This module exploits a Second-Order PHP Object Injection vulnerability in Tuleap <= 9.6 which could be abused by authenticated users to execute arbitrary PHP code with the permissions of the webserver. The vulnerability exists because of the User::getRecentElements() method is using the unserialize() function with data that can be arbitrarily manipulated by a user through the REST API interface. The exploit's POP chain abuses the __toString() method from the Mustache class to reach a call to eval() in the Transition_PostActionSubFactory::fetchPostActions() method.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/unix/webapp/tuleap_rest_unserialize_exec

Authors

  • EgiX

References

Targets

  • Tuleap <= 9.6

Platforms

  • php

Architectures

  • php

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/unix/webapp/tuleap_rest_unserialize_exec msf exploit(tuleap_rest_unserialize_exec) > show targets ...targets... msf exploit(tuleap_rest_unserialize_exec) > set TARGET <target-id> msf exploit(tuleap_rest_unserialize_exec) > show options ...show and set options... msf exploit(tuleap_rest_unserialize_exec) > exploit