New Module: elFinder

modules/vulnerabilities/unix/http/elfinder/elfinder.pp

@@ -0,0 +1,8 @@
+# begining of puppet code execution
+
+contain elfinder::install
+contain elfinder::apache
+contain elfinder::configure
+Class['elfinder::install'] ->
+Class['elfinder::apache'] ->
+Class['elfinder::configure'] 

modules/vulnerabilities/unix/http/elfinder/manifests/apache.pp

@@ -0,0 +1,92 @@
+class elfinder::apache{
+	#install web server
+	#secgen parameters commented out and hardcode inputs used for testing
+	##$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+	$port = '80' ##$secgen_parameters['port'][0]
+	$releasename = 'elFinder-2.1.58'
+	$docroot = "/var/www/$releasename"
+
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+	class { '::apache':
+		default_vhost => false,
+		default_mods => ['rewrite'],
+		overwrite_ports => false,
+		mpm_module => 'prefork'
+	} ->
+	#unzip install and update permissions 
+	exec {'elfinder':
+		cwd => '/usr/local/src',
+		command => "unzip $releasename.zip -d /var/www/",
+		creates => "$docroot"
+	}->
+	exec { 'chown-elfinder':
+		command => "chown www-data. /var/www/ -R",
+	}->exec { 'chown-elfinder-permissions':
+		command => "chown 755 /var/www/ -R",
+	}->
+	::apache::vhost { 'www-elfinder':
+		port    => $port,
+		docroot => $docroot,
+	}->
+	#remove default apache files
+	file{ '/var/www/html/index.html':
+        ensure  => absent,
+    } ->
+	file{ '/etc/apache2/sites-enabled/000-default.conf':
+	    ensure  => absent,
+	}-> 
+	file { "$docroot/php/connector.minimal.php":
+		ensure  => present,
+		content  => template('elfinder/connector.minimal.php')
+    }->
+	#removed url for 3rd party source and added custom congfigurations 
+    file { "$docroot/index.html":
+		ensure  => present,
+		content  => template('elfinder/elfinder.html')
+    }->
+	#removed url for 3rd party source
+    file { "$docroot/main.js":
+		ensure  => present,
+		content  => template('elfinder/main.js')
+    }->
+	#remove links for 3rd party urls
+	file { "$docroot/js/elFinder.options.js":
+		ensure  => present,
+		content  => template('elfinder/elFinder.options.js')
+    }->
+	file { "$docroot/css/jquery-ui.css":
+		ensure  => present,
+		content  => template('elfinder/jquery-ui.css')
+    }->
+	file { "$docroot/js/jquery-ui.min.js":
+		ensure  => present,
+		content  => template('elfinder/jquery-ui.min.js')
+    }->
+	file { "$docroot/js/jquery.min.js":
+		ensure  => present,
+		content  => template('elfinder/jquery.min.js')
+    }->
+		file { "$docroot/js/require.js":
+		ensure  => present,
+		content  => template('elfinder/require.js')
+    }->
+	file { "$docroot/js/require.min.js":
+		ensure  => present,
+		content  => template('elfinder/require.min.js')
+    }->
+		file { "$docroot/js/encoding.min.js":
+		ensure  => present,
+		content  => template('elfinder/encoding.min.js')
+    }->
+
+	exec { 'restart-apache-elfinder':
+		command => 'systemctl restart apache2',
+		logoutput => true
+	} ->
+	exec { 'wait-apache-elfinder':
+		command => 'sleep 4',
+	}
+
+
+}

modules/vulnerabilities/unix/http/elfinder/manifests/configure.pp

@@ -0,0 +1,52 @@
+class elfinder::configure {
+	#secgen parameters commented out and hardcode inputs used for testing
+	##$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+	$leaked_filenames = ["flagtest"] ##$secgen_parameters['leaked_filenames']
+	$strings_to_leak = ["this is a list of strings that are secrets / flags","another secret"] ##$secgen_parameters['strings_to_leak']
+	$releasename = 'elFinder-2.1.58'
+	$docroot = "/var/www/$releasename"
+	$dir_array=['folder1', 'folder2', 'folder3'] ##$secgen_parameters['strings_to_pre_leak'], 
+
+	 Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+	#create public directory
+	file { "${docroot}/files/public":
+		ensure  => directory,
+		mode   => '0777',
+    }
+
+	#add read only folders 
+	$dir_array.each |String $dir_array| {
+	  file { "${docroot}/files/${leaked_filenames}":
+		ensure => directory,
+		owner  => 'www-data',
+		mode   => '0444',
+	  }
+	}
+
+	#create flag directory
+	file { "${docroot}/files/.hidden":
+		ensure  => directory,
+		owner  => 'www-data',
+		mode   => '0700',
+
+    }
+	#FOR TESTING ONLY
+	file { "${docroot}/files/.hidden/${leaked_filenames}":
+		ensure  => present,
+		owner  => 'www-data',
+		mode   => '0700',
+
+    }
+
+	# ::secgen_functions::leak_files { 'elfinder-flag-leak':
+		# storage_directory => '$docroot/files/.hidden',
+		# leaked_filenames  => $leaked_filenames,
+		# strings_to_leak   => $strings_to_leak,
+		# owner             => 'www-data',
+		# mode              => '0750',
+		# leaked_from       => 'elfinder',
+	#}
+
+
+}

modules/vulnerabilities/unix/http/elfinder/manifests/install.pp

@@ -0,0 +1,22 @@
+class elfinder::install {
+
+	$releasename = 'elFinder-2.1.58'
+
+
+	# ensure packages
+
+	ensure_packages(['php-xml','php-gd','php.mbstring','php-json','libapache2-mod-php','php'])
+	ensure_packages(['libjs-requirejs','libjs-jquery','libjs-jquery-ui','javascript-common'])
+
+	 # sets the default paths to use
+
+	 Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+	# copy archive 
+	file { "/usr/local/src/$releasename.zip" :
+		ensure => file,
+		source => "puppet:///modules/elfinder/$releasename.zip",
+	} 
+
+
+}	

modules/vulnerabilities/unix/http/elfinder/secgen_metadata.xml

@@ -0,0 +1,96 @@
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+<name>elFinder Archive Command Injection</name>
+  <author>Sofia Markusfeld</author>
+  <module_license>BSD/MIT</module_license>
+
+  <description>elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via the archive functionality. 
+  </description>
+
+  <type>remote</type>
+  <type>in_the_wild</type>
+  <privilege></privilege>
+  <access>remote</access>
+  <platform>linux_apache_php</platform>
+  <difficulty>low</difficulty>
+
+
+   <read_fact>port</read_fact>
+   <read_fact>strings_to_leak</read_fact>
+      <read_fact>strings_to_preleak</read_fact>
+     <read_fact>leaked_filenames</read_fact>
+	 <read_fact>storage_directory</read_fact>
+
+   <default_input into="port">
+		<value>80</value>
+   </default_input>
+
+     <!-- flags or other secrets exposed after exploitation -->
+  <default_input into="strings_to_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+    <default_input into="leaked_filenames">
+    <generator type="filename_generator"/>
+  </default_input>
+
+    <default_input into="storage_directory">
+    <generator type="storage_directory_generator"/>
+  </default_input>
+
+    <!--optional vulnerability details-->
+  <!-- rce vuln -->
+  <cve>CVE-2021-32682</cve>
+
+
+
+    <cvss_base_score>9</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss_vector>
+  <reference>https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/elfinder_archive_cmd_injection.rb</reference>
+  <reference>https://www.rapid7.com/db/modules/exploit/linux/http/elfinder_archive_cmd_injection/</reference>
+  <software_name>elFinder</software_name>
+  <software_license>BSD/MIT</software_license>
+
+
+    <!--optional hints-->
+  <msf_module>exploit/linux/http/elfinder_archive_cmd_injection</msf_module>
+  <!--update for module-->
+  <hint>Visit the webapp in a browser at: ip/elfinder </hint>
+
+    <!-- find any conflicts ie webapp -->
+  <conflict>
+    <type></type>
+  </conflict>
+
+
+  <requires>
+    <module_path>.*apache.*compatible.*</module_path>
+  </requires>
+
+  <requires>
+    <module_path>.*php.*compatible.*</module_path>
+  </requires>
+
+
+
+  <!-- CyBOK metadata - related security concepts / knowledge required -->
+
+  <CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
+    <keyword>server-side misconfiguration and vulnerable components</keyword>
+    <keyword>FILE UPLOAD VULNERABILITY</keyword>
+  </CyBOK>
+  <CyBOK KA="MAT" topic="Attacks and exploitation">
+    <keyword>EXPLOITATION</keyword>
+    <keyword>EXPLOITATION FRAMEWORKS</keyword>
+  </CyBOK>
+  <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+    <keyword>CVEs and CWEs</keyword>
+  </CyBOK>
+  <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+    <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+    <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+  </CyBOK>
+
+</vulnerability>