Crypttech CryptoLog Remote Code Execution
Description
This module exploits a SQL injection and command injection vulnerability in the PHP version of CryptoLog. An unauthenticated user can execute a terminal command under the context of the web user. These vulnerabilities are no longer present in the ASP.NET version CryptoLog, available since 2009. CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is used by the application without input validation and parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a valid session. CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. One user parameter is used by the application while executing an operating system command, which causes a command injection issue. Combining these vulnerabilities gives the opportunity execute operation system commands under the context of the web user.
Author(s)
- Mehmet Ince <mehmet@mehmetince.net>
Platform
Python
Architectures
python
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/crypttech_cryptolog_login_exec
msf exploit(crypttech_cryptolog_login_exec) > show targets
...targets...
msf exploit(crypttech_cryptolog_login_exec) > set TARGET < target-id >
msf exploit(crypttech_cryptolog_login_exec) > show options
...show and set options...
msf exploit(crypttech_cryptolog_login_exec) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security