Home page logo
/

metasploit logo Metasploit mailing list archives

Metasploit 3 module for PHP < 4.5.0 unserialize() bug
From: hdm at metasploit.com (H D Moore)
Date: Sat, 17 Mar 2007 15:25:19 -0500

Just a quick update -- the exploit has been made generic and was renamed 
accordingly. The new module name is:

exploit/multi/php/php_unserialize_zval_cookie

To use this exploit agains a "generic" web application, set the TARGET to 
0 and the URI / COOKIENAME values to match your application. To save some 
time, I added targets for the following applications:
msf exploit(php_unserialize_zval_cookie) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Linux x86 Generic
   1   Linux x86 phpBB2
   2   Linux x86 punBB
   3   Linux x86 WWWThreads
   4   Linux x86 Deadman Redirect
   5   Linux x86 PhpWebGallery
   6   Linux x86 Ariadne-CMS
   7   Linux x86 ProMA
   8   Linux x86 eGroupware

Trivia: About 1 in 70 phpBB installations have been defaced:
http://www.google.com/search?num=100&hl=en&q=%22Powered+by+phpBB%22+%22hacked+by%22
http://www.google.com/search?num=100&hl=en&q=%22Powered+by+phpBB%22

To find more applications that allow exploitation of this PHP flaw, check 
out the following search results. Due to the size of the data needed to 
exploit this bug, $_GET and base64()'d cookie values cannot be used.

http://www.google.com/codesearch?hl=en&q=+unserialize.*COOKIE+-base64
http://www.google.com/codesearch?hl=en&lr=&q=unserialize.*POST

A generic exploit for POST variables will be added eventually.

-HD



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]