bludit module

lib/resources/wordlists/www_buster_filename

@@ -0,0 +1,4 @@
+TODO
+todo
+notes
+readme

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/bludit_upload_images_exec.pp

@@ -0,0 +1,9 @@
+# require bludit_upload_images_exec::install
+# require bludit_upload_images_exec::apache
+# require bludit_upload_images_exec::configure
+contain bludit_upload_images_exec::install
+contain bludit_upload_images_exec::apache
+contain bludit_upload_images_exec::configure
+Class['bludit_upload_images_exec::install'] ->
+Class['bludit_upload_images_exec::apache'] ->
+Class['bludit_upload_images_exec::configure']

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/manifests/apache.pp

@@ -0,0 +1,31 @@
+class bludit_upload_images_exec::apache {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $port = $secgen_parameters['port'][0]
+  $docroot = '/var/www/bludit-3-9-2'
+
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  ensure_resource('tidy','gl remove default site', {'path'=>'/etc/apache2/sites-enabled/000-default.conf'})
+
+  class { '::apache':
+    default_vhost => false,
+    default_mods => ['rewrite'], # php5 via separate module
+    overwrite_ports => false,
+    mpm_module => 'prefork'
+  } ->
+
+  ::apache::vhost { 'www-bludit':
+    port    => $port,
+    docroot => $docroot,
+  } ->
+
+
+  # restart apache
+  exec { 'restart-apache-bludit':
+    command => 'service apache2 restart',
+    logoutput => true
+  } ->
+  exec { 'wait-apache-bludit':
+    command => 'sleep 4',
+  }
+}

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/manifests/configure.pp

@@ -0,0 +1,88 @@
+class bludit_upload_images_exec::configure {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+  $known_username = $secgen_parameters['known_username'][0]
+  $known_password = $secgen_parameters['known_password'][0]
+  $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak']
+  $web_pre_leak_filename = $secgen_parameters['web_pre_leak_filename'][0]
+  # $images_to_leak = $secgen_parameters['images_to_leak']
+
+  # differenitaion in website content generation
+  $raw_org = $secgen_parameters['organisation'][0]
+  if $raw_org and $raw_org != '' {
+    $organisation = parsejson($raw_org)
+  }
+
+  if $organisation and $organisation != '' {
+    $business_name = $organisation['business_name']
+    $business_motto = $organisation['business_motto']
+    $manager_profile = $organisation['manager']
+    $business_address = $organisation['business_address']
+    $office_telephone = $organisation['office_telephone']
+    $office_email = $organisation['office_email']
+    $industry = $organisation['industry']
+    $product_name = $organisation['product_name']
+    $employees = $organisation['employees']
+    $intro_paragraph = $organisation['intro_paragraph']
+  }
+
+  if $strings_to_pre_leak.length != 0 {
+  	file{ "/var/www/bludit-3-9-2/$web_pre_leak_filename":
+  		ensure => file,
+  		content => template('bludit_upload_images_exec/pre_leak.erb')
+  	}
+  }
+
+
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  # automate the install
+  exec { 'set-admin-password-bludit':
+    command => "curl -d 'username=$known_username&password=$known_password' http://localhost/install.php",
+    provider => 'shell',
+    logoutput => true
+  } ->
+
+  # manually place website contents via templates
+	file{ "/var/www/bludit-3-9-2/bl-content/databases/site.php":
+		ensure => file,
+		content => template('bludit_upload_images_exec/site.php.erb')
+	} ->
+	file{ "/var/www/bludit-3-9-2/bl-content/databases/pages.php":
+		ensure => file,
+		content => template('bludit_upload_images_exec/pages.php.erb')
+	} ->
+	file{ "/var/www/bludit-3-9-2/bl-content/pages/about/index.txt":
+		ensure => file,
+		content => template('bludit_upload_images_exec/about.erb')
+	} ->
+	file{ "/var/www/bludit-3-9-2/bl-content/databases/plugins/about/db.php":
+		ensure => file,
+		content => template('bludit_upload_images_exec/about_sidebar.php.erb')
+	} ->
+	file{ "/var/www/bludit-3-9-2/bl-content/pages/what-we-do/":
+		ensure => directory,
+	} ->
+	file{ "/var/www/bludit-3-9-2/bl-content/pages/what-we-do/index.txt":
+		ensure => file,
+		content => template('bludit_upload_images_exec/what-we-do.erb')
+	} ->
+  # the user that is created on install gets called admin, even when specifying another name, this fixes that
+  exec { 'fix-admin-username-bludit':
+    command => "sed -i 's/\"admin\":/\"$known_username\":/g' /var/www/bludit-3-9-2/bl-content/databases/users.php",
+    provider => 'shell',
+    logoutput => true
+  }
+
+  ::secgen_functions::leak_files { 'bludit-flag-leak':
+    storage_directory => '/var/www/bludit-3-9-2/bl-content/tmp',
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => 'www-data',
+    mode              => '0750',
+    leaked_from       => 'bludit_upload_images_exec',
+  }
+
+
+}

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/manifests/install.pp

@@ -0,0 +1,27 @@
+class bludit_upload_images_exec::install {
+  # sets the default paths to use
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  ensure_packages(['php-xml','php-gd','php.mbstring','php-json'])
+  case $operatingsystemrelease {
+    /^(9|10).*/: { # do 9.x stretch stuff
+      ensure_packages('php5.6-gd')
+    }
+  }
+
+  # copy and unzip archive
+  $archive = 'bludit-3-9-2.zip'
+  file { "/usr/local/src/$archive":
+    ensure => file,
+    source => "puppet:///modules/bludit_upload_images_exec/$archive",
+  } ->
+  exec { 'unpack-bludit':
+    cwd => '/usr/local/src',
+    command => "unzip $archive -d /var/www",
+  } ->
+  exec { 'chown-bludit':
+    command => "chown www-data. /var/www -R",
+  }
+
+
+}

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/secgen_metadata.xml

@@ -0,0 +1,104 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>Bludit Directory Traversal Image File Upload Vulnerability</name>
+  <author>Z. Cliffe Schreuders</author>
+  <module_license>MIT</module_license>
+  <description>
+    There is a vulnerability in Bludit. A remote user could abuse the uuid
+    parameter in the image upload feature in order to save a malicious payload anywhere
+    onto the server, and then use a custom .htaccess file to bypass the file extension
+    check to finally get remote code execution.
+    Note that this version also has a separate vuln that makes it vulnerable to bruteforce.
+  </description>
+
+  <type>webapp</type>
+  <type>bruteforceable</type>
+  <type>in_the_wild</type>
+  <privilege>user_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>port</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+
+  <!-- [0] leaks flag to home directory, [1..n] leak messages to gitlist repository (visible through the webapp) -->
+  <default_input into="port">
+    <value>80</value>
+  </default_input>
+
+  <default_input into="organisation">
+    <generator type="realistic_organisation" />
+  </default_input>
+
+  <!-- flags or other secrets exposed after exploitation -->
+  <default_input into="strings_to_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator"/>
+  </default_input>
+
+  <!-- these details need to be known or bruteforced to successful exploit the service -->
+  <default_input into="known_username">
+		<!-- <generator type="random_sanitised_word">
+			<input into="wordlist">
+				<value>admin_name</value>
+			</input>
+		</generator> -->
+    <value>admin</value>
+  </default_input>
+  <default_input into="known_password">
+    <generator type="weak_password_generator" />
+  </default_input>
+
+  <!-- pre-leaked, these details are leaked before the main vuln is exploited, for example hidden content or hosted files -->
+  <default_input into="strings_to_pre_leak">
+    <generator type="message_generator"/>
+  </default_input>
+  <default_input into="web_pre_leak_filename">
+    <generator type="random_sanitised_word">
+			<input into="wordlist">
+				<value>www_buster_filename</value>
+			</input>
+		</generator>
+  </default_input>
+
+  <!--optional vulnerability details-->
+  <!-- image upload vuln -->
+  <cve>CVE-2019-16113</cve>
+  <!-- bruteforce vuln -->
+  <cve>CVE-2019-17240</cve>
+
+  <cvss_base_score>9</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:S/C:C/I:C/A:C</cvss_vector>
+  <reference>https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/bludit_upload_images_exec.rb</reference>
+  <reference>https://github.com/bludit/bludit/issues/1081</reference>
+  <software_name>bludit</software_name>
+  <software_license>MIT</software_license>
+
+
+  <!--optional hints-->
+  <msf_module>exploit/linux/http/bludit_upload_images_exec</msf_module>
+  <hint>Visit the webapp in a browser at: ip:80/bludit </hint>
+
+  <!-- can't live alongside other web sites, since it accepts any virtual host name -->
+  <conflict>
+    <type>webapp</type>
+  </conflict>
+
+  <requires>
+    <module_path>.*apache.*compatible.*</module_path>
+  </requires>
+
+  <requires>
+    <module_path>.*php.*compatible.*</module_path>
+  </requires>
+
+
+</vulnerability>

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/secgen_test/bludit_upload_images_exec.rb

@@ -0,0 +1,17 @@
+require_relative '../../../../../lib/post_provision_test'
+
+class BluditTest < PostProvisionTest
+  def initialize
+    self.module_name = 'bludit_upload_images_exec'
+    self.module_path = get_module_path(__FILE__)
+    super
+  end
+
+  def test_module
+    super
+    test_service_up
+    test_html_returned_content('/', '<title>Bludit</title>')
+  end
+end
+
+BluditTest.new.run

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/templates/about.erb

@@ -0,0 +1,24 @@
+<div class="row" id="about">
+  <p>
+    <%# intro paragraph from the organisation JSON for more differentiation %>
+    <% @intro_paragraph.each { |intro_paragraph| -%>
+      <%= intro_paragraph %>
+    <% } -%>
+  </p>
+</div>
+
+<div class="row">
+  <div class="col-12" id="contact_info">
+    <%# This is where the differentiation for the business is displayed %>
+    <h3>For more information contact us:</h3><br>
+    <ul>
+      <li>Email: <%= @office_email %></li>
+      <li>Phone: <%= @office_telephone %></li>
+      <li>Address: <%= @business_address %></li>
+    </ul>
+
+    Or for a more specific enquiry contact <%= @manager_profile['name'] %>, our manager:<br>
+    <p>Phone: <%= @manager_profile['phone_number'] %></p><br>
+    <p>Email: <%= @manager_profile['email_address'] %></p>
+  </div>
+</div>

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/templates/about_sidebar.php.erb

@@ -0,0 +1,6 @@
+<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
+{
+    "position": 1,
+    "label": "About",
+    "text": "<%= @business_motto %>."
+}

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/templates/pages.php.erb

@@ -0,0 +1,50 @@
+<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
+{
+
+   "about":{
+      "title":"About",
+      "description":"",
+      "username":"admin",
+      "tags":[
+
+      ],
+      "type":"static",
+      "date":"2021-11-02 13:32:02",
+      "dateModified":"",
+      "allowComments":true,
+      "position":1,
+      "coverImage":"",
+      "md5file":"",
+      "category":"general",
+      "uuid":"",
+      "parent":"",
+      "template":"",
+      "noindex":false,
+      "nofollow":false,
+      "noarchive":false
+   },
+   "what-we-do":{
+      "title":"What we do... What don't we do?",
+      "description":"",
+      "username":"admin",
+      "tags":[
+
+      ],
+      "type":"published",
+      "date":"2021-11-02 10:38:46",
+      "dateModified":"",
+      "position":2,
+      "coverImage":"",
+      "category":"",
+      "md5file":"",
+      "uuid":"",
+      "allowComments":true,
+      "template":"",
+      "noindex":false,
+      "nofollow":false,
+      "noarchive":false,
+      "custom":[
+
+      ]
+   }
+}

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/templates/pre_leak.erb

@@ -0,0 +1,3 @@
+<% @strings_to_pre_leak.each { |string_to_pre_leak| -%>
+  <%= string_to_pre_leak %>
+<% } -%>

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/templates/site.php.erb

@@ -0,0 +1,39 @@
+<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
+{
+   "title":"<%= @business_name %>",
+   "slogan":"<%= @business_motto %>",
+   "description":"Contact us for a quote.",
+   "footer":"Copyright \u00a9 2021",
+   "itemsPerPage":6,
+   "language":"en",
+   "locale":"en, en_US, en_AU, en_CA, en_GB, en_IE, en_NZ",
+   "timezone":null,
+   "theme":"<%= ["alternative", "blogx"].sample %>",
+   "adminTheme":"booty",
+   "homepage":"",
+   "pageNotFound":"",
+   "uriPage":"\/",
+   "uriTag":"\/tag\/",
+   "uriCategory":"\/category\/",
+   "uriBlog":"",
+   "url":"",
+   "emailFrom":"no-reply@localhost",
+   "orderBy":"date",
+   "currentBuild":20190530,
+   "twitter":"https:\/\/twitter.com\/bludit",
+   "facebook":"https:\/\/www.facebook.com\/bluditcms",
+   "codepen":"",
+   "github":"https:\/\/github.com\/bludit",
+   "instagram":"",
+   "gitlab":"",
+   "linkedin":"",
+   "dateFormat":"F j, Y",
+   "extremeFriendly":true,
+   "autosaveInterval":2,
+   "titleFormatHomepage":"{{site-slogan}} | {{site-title}}",
+   "titleFormatPages":"{{page-title}} | {{site-title}}",
+   "titleFormatCategory":"{{category-name}} | {{site-title}}",
+   "titleFormatTag":"{{tag-name}} | {{site-title}}",
+   "imageRestrict":true,
+   "imageRelativeToAbsolute":false
+}

modules/vulnerabilities/unix/webapp/bludit_upload_images_exec/templates/what-we-do.erb

@@ -0,0 +1,9 @@
+<p>
+  <%= @business_name %> are the best at what we do.
+</p>
+<p>
+  <%# intro paragraph from the organisation JSON for more differentiation %>
+  <% @intro_paragraph.each { |intro_paragraph| -%>
+    <%= intro_paragraph %>
+  <% } -%>
+</p>

scenarios/ctf/feeling_blu.xml

@@ -0,0 +1,83 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <name>Feeling Blu</name>
+  <author>Z. Cliffe Schreuders</author>
+  <description>Hack the web_server from kali.
+  </description>
+
+  <type>ctf</type>
+  <type>pwn-ctf</type>
+  <difficulty>medium</difficulty>
+
+  <system>
+    <system_name>attack_vm</system_name>
+    <base distro="Kali" name="MSF"/>
+
+
+    <input into_datastore="IP_addresses">
+      <!-- 0 attack_vm -->
+      <value>172.16.0.2</value>
+      <!-- 1 hackme_server -->
+      <value>172.16.0.3</value>
+    </input>
+
+    <utility module_path=".*/iceweasel">
+      <input into="accounts">
+        <value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+      </input>
+      <input into="autostart">
+        <value>false</value>
+      </input>
+    </utility>
+
+    <utility module_path=".*/kali_top10"/>
+
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="0">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
+
+  <system>
+    <system_name>web_server</system_name>
+		<base distro="Debian 10" type="desktop" name="KDE"/>
+
+    <input into="organisation" into_datastore="organisation">
+      <encoder type="line_selector">
+        <input into="file_path">
+          <value>lib/resources/structured_content/organisations/json_organisations</value>
+        </input>
+      </encoder>
+    </input>
+
+
+    <vulnerability module_path=".*/bludit_upload_images_exec">
+      <input into="strings_to_leak">
+        <generator type="flag_generator"/>
+      </input>
+      <input into="organisation">
+        <datastore>organisation</datastore>
+      </input>
+      <input into="known_username">
+        <datastore access_json="['manager']['username']">organisation</datastore>
+      </input>
+      <input into="strings_to_pre_leak">
+        <value>Username</value>
+        <datastore access_json="['manager']['username']">organisation</datastore>
+        <generator type="flag_generator"/>
+      </input>
+    </vulnerability>
+
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
+
+</scenario>

scenarios/examples/vulnerability_examples/bludit_vulnerability.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <system>
+    <system_name>web_server</system_name>
+		<base distro="Debian 10" type="desktop" name="KDE"/>
+
+    <vulnerability module_path=".*/bludit_upload_images_exec"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>