PA Attack Defense Lab [CVE-2018–7466]
- Fingerprinting the Website
- Looking for possible exploits
- Remote Code Execution
- Examining the exploit
Lab Description — The attacker might not have any user-level access to the web application. However, this does not mean that the application cannot be attacked remotely. Remote Code Execution vulnerabilities could be triggered even by unauthenticated users.
In this lab, we’ll examine TestLink, which is web-based test management and test execution system. It enables quality assurance teams to create and manage their test cases as well as to organize them into test plans.
Although the name of the lab [CVE-2018–7466] gives us a relevant CVE to use, I’ll go through the application using my general web application pentest methodology.
Our objective — Find and exploit the vulnerability
Before moving forward I’ll note the “Prohibited Activities” section to make sure I remain in scope which is always a good practice and I’ll recommend it to everyone.
Let’s get started.
1. Fingerprinting the Website
On starting the lab we’re provided with the lab link. Let’s look at the landing page and examine the page. We can see the login page of TestLink and it gives us the version information.
- Landing page -> /login.php
- Version -> [TestLink 1.9.11(The Robots of Dawn)]
We can start by making a test account and look at some functionality of the application.
- Making test account -> index.php?caller=login
- We get another sign of version [TestLink 1.9.11(The Robots of Dawn)]
Now we have solid confirmation of the version my first thought is to check if any possible exploits are available for this version.
2. Looking for possible exploits
We can conveniently start with a searchsploit search:
And we have a candidate for our version and it being RCE [CVE-2018–7466] is even juicier. So let’s start with looking at how it works.
- Vulnerable code is in file “install/installNewDB.php”. Testlink allows the user to re-install it and when the user visits the “/install/” directory and reaches to “Database detail” page i.e “install/installNewDB.php”, the user can specify PHP code in the “TestLink DB login” field. After successful installation, PHP code is saved in the config file. [https://www.exploit-db.com/exploits/44226]
It points to a vulnerable code that we can leverage to insert PHP code and get remote code execution.
3. Remote Code Execution
We can assume the role of an unauthenticated user and start by Installation & Configuration of TestLink:
- Starting the new installation
- Click New installation
2. Accept terms and proceed to the next page
3. Continue with “Verification of System and configuration requirements”
4. For Database configuration we can add remote database credentials provided in the lab description:
Database name: app
Database Admin User: pentester
Database Admin Password: password1
5. In the “TestLink DB login” we can inject our PHP code
First, we close define parentheses by box’) and then we can add PHP code. Here I have added a one-liner web shell to test with parameter kekw ;)
TestLink DB password can be anything, here I added 1234
6. We can see our connection to the database server was successful and PHP code was included.
Now we can visit the vulnerable page where the page code is included and pass the value to the kekw parameter.
4 . Examining the exploit
Now that we have achieved remote code execution our task as per the lab is over, however, I decided to take to the small detour of the exploit and what exactly is it doing.
It is based on the exploit documentation at [https://www.exploit-db.com/exploits/44226]
- When the attacker provides credentials of a Remote MySQL server that is attacker-controlled(in our case DB “app”) and listening for the remote connection. The attacker just needs to specify the remote MySQL server IP, root users username, password and need to specify custom PHP code in the “TestLink DB login” field.
- Once the script establishes a successful connection to the root user account of the remote MySQL server, it will create a MySQL user with the name :
and this will write this username name in the config_db.inc.php file. After that attacker just needs to need to access the config file config_db.inc.php with the following GET HTTP parameters.
- For instance, we can insert the content of file/external payload into system file to get a shell or execute commands
- One easy use case can be reading “/etc/passwd”:
CVE is a registered trademark of The MITRE Corporation.
That’s it for today, do visit PA Attack Defense labs for trying it out for yourself. And not only this there are several other labs to try and learn from.
You can start with free labs here — https://attackdefense.com/freelabs