Add FastAdmin Path Traversal Module (CVE-2024-7928)

[Kazgangap]

📌 Add FastAdmin Path Traversal Auxiliary Module (CVE-2024-7928)

Description

This PR adds an auxiliary scanner module for a path traversal vulnerability in FastAdmin (versions ≤ 1.3.3.20220121).
The issue exists in the /index/ajax/lang endpoint, where the lang parameter can be manipulated to access arbitrary files on the server. This allows unauthenticated attackers to retrieve sensitive configuration files, including database credentials.

Vulnerability Details

• CVE: CVE-2024-7928
• Affected Version: ≤ 1.3.3.20220121
• Fixed Version: 1.3.4.20220530
• Advisory: https://s4e.io/tools/fastadmin-path-traversal-cve-2024-7928

Verification Steps

1. Deploy a vulnerable version of FastAdmin or identify targets using tools like FOFA/Shodan.
2. Start msfconsole.
3. Load the module:

   use auxiliary/scanner/http/fastadmin_path_traversal_cve_2024_7928
   

4. Set the RHOSTS and RPORT options:

   set RHOSTS <target_ip>
   set RPORT 80
   

5. Run the module:

   run
   

6. If the target is vulnerable, database configuration details will be printed.

Output Example

[+] 192.0.2.10 is vulnerable!
[+] DB Type   : mysql
[+] Hostname  : <redacted>
[+] Database  : fastadmin
[+] Username  : root
[+] Password  : <redacted>

Notes

• The module parses the JSONP response and extracts DB credentials.
• Results are saved with report_note for later usage.

---

Let me know if you'd like me to squash commits or reformat anything.
Thanks for reviewing my first contribution to the Metasploit Framework 🙌

[msutovsky-r7]

Hi @Kazgangap, thanks for your contribution! I have left some comments for you about the code. Also, while the getting sensitive information from one file looks like good start, it seems like this vulnerability can be exploited to read arbitrary file if I'm not mistaken. Therefore, I think it makes more sense to modify this into arbitrary file read module. Let me know if you would need any help or if you would have any comments/notes.

[msutovsky-r7]

Suggested change

	unless res && res.code == 200 && res.body.include?('jsonpReturn(')
	unless res&.code == 200 && res.body.include?('jsonpReturn(')

[msutovsky-r7]

Suggested change

	unless data['username'] && data['password'] && data['database']
	unless data.dig('username') && data.dig('password') && data.dig('database')

[msutovsky-r7]

Would you mind adding some steps to set up the target?

[msutovsky-r7]

Can you please rubocop this file?

[msutovsky-r7]

I'm not sure if this is necessary

[msutovsky-r7]

You probably don't have to register port 80, as it should be default.

[Kazgangap]

Hi @msutovsky-r7 thanks for the review and feedback!

This is indeed a path traversal vulnerability, but from my testing it seems to be somewhat limited — I wasn't able to read files like /etc/passwd, for example. It looks like access might be restricted to certain application directories.

The original PoCs and the Python script I found also focused on reading the application/database file, which is what I based the module on. That file contains sensitive database credentials, so I thought it was still a useful target.

I’ve also included setup instructions in the module description to help with reproduction. For testing, I found targets using Fofa and confirmed the exploit works in real scenarios.

[dledda-r7]

Suggested change

	git checkout 1.3.3.20220121
	git checkout v1.3.3.20220121

[dledda-r7]

Suggested change

	mysql -u root -p fastadmin < fastadmin.sql
	mysql -u <username> -p fastadmin < ./application/admin/command/Install/fastadmin.sql

[dledda-r7]

I am having some issues finalizing the setup, looks like after following all the steps, i get blank. I saw there is a composer.json file, shouldn't I do something like composer install to get the package dependencies?

[Kazgangap]

I am having some issues finalizing the setup, looks like after following all the steps, i get blank. I saw there is a composer.json file, shouldn't I do something like composer install to get the package dependencies?

Hi @dledda-r7 Sorry for the late response to your message. Honestly, I was referring to the standard setup of the application—I haven't installed it myself. I tested it on assets found among approximately 300,000 results in FOFA. It wouldn't be ethical to directly share vulnerable assets, but you can find assets to test by searching for keywords like fastadmin or using queries such as icon_hash="-1036943727" on FOFA.

[dledda-r7]

Hello @Kazgangap, in order to land the module, we need to have valid setup documented with clear steps to install the application in a vulnerable state. Moreover, launching exploits and/or metasploit modules on 3rd-part vulnerable systems is not something we can do to verify the functionality of a pull request. Please take your time on documeting the application setup to be vulnerable and update the docs accordingly.
Thanks for your understanding.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[jheysel-r7]

Hey @Kazgangap I was able to install the application successfully with a few extra steps.

• Setup a site-available, enable it, restart apache2
• edit composer.json to not reach out to the "gitee" as it requires credentials and doesn't seem necessary - it can be removed
• install php7.4-bcmath for the version of php being used in the application and enable it with sudo phpenmod bcmath
• run compose install (ensure it has permissions to create /var/www/html/vendor)

Can you see if these work for you as well, and if so, add them to the documentation? Thank you!