Home page logo

metasploit logo Metasploit mailing list archives

Metasploit 3 module for PHP < 4.5.0 unserialize() bug
From: hdm at metasploit.com (H D Moore)
Date: Sat, 17 Mar 2007 15:25:19 -0500

Just a quick update -- the exploit has been made generic and was renamed 
accordingly. The new module name is:


To use this exploit agains a "generic" web application, set the TARGET to 
0 and the URI / COOKIENAME values to match your application. To save some 
time, I added targets for the following applications:
msf exploit(php_unserialize_zval_cookie) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Linux x86 Generic
   1   Linux x86 phpBB2
   2   Linux x86 punBB
   3   Linux x86 WWWThreads
   4   Linux x86 Deadman Redirect
   5   Linux x86 PhpWebGallery
   6   Linux x86 Ariadne-CMS
   7   Linux x86 ProMA
   8   Linux x86 eGroupware

Trivia: About 1 in 70 phpBB installations have been defaced:

To find more applications that allow exploitation of this PHP flaw, check 
out the following search results. Due to the size of the data needed to 
exploit this bug, $_GET and base64()'d cookie values cannot be used.


A generic exploit for POST variables will be added eventually.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]