module
Crypttech CryptoLog Remote Code Execution
| Disclosed | Created |
|---|---|
| 05/03/2017 | 05/30/2018 |
Disclosed
05/03/2017
Created
05/30/2018
Description
This module exploits a SQL injection and command injection vulnerability in the PHP version of CryptoLog.
An unauthenticated user can execute a terminal command under the context of the web user. These vulnerabilities
are no longer present in the ASP.NET version CryptoLog, available since 2009.
CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is
used by the application without input validation and parameter binding, which leads to SQL injection
vulnerability. Successfully exploiting this vulnerability gives a valid session.
CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not
possible to access this endpoint without having a valid session. One user parameter is used by the
application while executing an operating system command, which causes a command injection issue.
Combining these vulnerabilities gives the opportunity execute operation system commands under the context
of the web user.
An unauthenticated user can execute a terminal command under the context of the web user. These vulnerabilities
are no longer present in the ASP.NET version CryptoLog, available since 2009.
CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is
used by the application without input validation and parameter binding, which leads to SQL injection
vulnerability. Successfully exploiting this vulnerability gives a valid session.
CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not
possible to access this endpoint without having a valid session. One user parameter is used by the
application while executing an operating system command, which causes a command injection issue.
Combining these vulnerabilities gives the opportunity execute operation system commands under the context
of the web user.
Author
Mehmet Ince
Platform
Python
Architectures
python
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/http/crypttech_cryptolog_login_exec
msf /(c) > show actions
...actions...
msf /(c) > set ACTION < action-name >
msf /(c) > show options
...show and set options...
msf /(c) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.