This Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.
4878a731edc0be4c0ac00692ed93b267a31861eb08b009ecca9a7586cc59c464
Mida eFramework version 2.9.0 suffers from a remote code execution vulnerability.
1d91860562323de0b96d48e3fab2bd5c3cff83336de0debd04431d028e64421a