Metasploit mailing list archives
Metasploit 3 module for PHP < 4.5.0 unserialize() bug
From: hdm at metasploit.com (H D Moore)
Date: Sat, 17 Mar 2007 15:25:19 -0500
Just a quick update -- the exploit has been made generic and was renamed accordingly. The new module name is: exploit/multi/php/php_unserialize_zval_cookie To use this exploit agains a "generic" web application, set the TARGET to 0 and the URI / COOKIENAME values to match your application. To save some time, I added targets for the following applications: msf exploit(php_unserialize_zval_cookie) > show targets Exploit targets: Id Name -- ---- 0 Linux x86 Generic 1 Linux x86 phpBB2 2 Linux x86 punBB 3 Linux x86 WWWThreads 4 Linux x86 Deadman Redirect 5 Linux x86 PhpWebGallery 6 Linux x86 Ariadne-CMS 7 Linux x86 ProMA 8 Linux x86 eGroupware Trivia: About 1 in 70 phpBB installations have been defaced: http://www.google.com/search?num=100&hl=en&q=%22Powered+by+phpBB%22+%22hacked+by%22 http://www.google.com/search?num=100&hl=en&q=%22Powered+by+phpBB%22 To find more applications that allow exploitation of this PHP flaw, check out the following search results. Due to the size of the data needed to exploit this bug, $_GET and base64()'d cookie values cannot be used. http://www.google.com/codesearch?hl=en&q=+unserialize.*COOKIE+-base64 http://www.google.com/codesearch?hl=en&lr=&q=unserialize.*POST A generic exploit for POST variables will be added eventually. -HD
Current thread:
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug H D Moore (Mar 10)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug Kashif Iftikhar (Mar 12)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug Kashif Iftikhar (Mar 13)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug H D Moore (Mar 17)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug Kashif Iftikhar (Mar 12)