infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update atutor_filemanager_traversal

bug/bundler_fix
wchen-r7 2016-03-22 14:44:07 -05:00
parent 9cb43f2153
commit 102d28bda4
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
modules/exploits/linux/http/atutor_filemanager_traversal.rb
View File

@ -23,13 +23,11 @@ class MetasploitModule < Msf::Exploit::Remote
You are required to login to the target to reach the vulnerability, however this can be
done as a student account and remote registration is enabled by default.
Just incase remote registration isnt enabled, this module uses 2 vulnerabilities
in order to bypass the authenication:
Just in case remote registration isn't enabled, this module uses 2 vulnerabilities
in order to bypass the authentication:
1. confirm.php Authentication Bypass Type Juggling vulnerability
2. password_reminder.php Remote Password Reset TOCTOU vulnerability
~ spirit of the hack
},
'License' => MSF_LICENSE,
'Author' =>
@ -284,7 +282,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
})
# poor php developer practices
cookie = "ATutorID=#{$4};" if res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*); ATutorID=(.*); ATutorID=(.*);/
cookie = "ATutorID=#{$4};" if res && res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*); ATutorID=(.*); ATutorID=(.*);/
if res && res.code == 302
if res.redirection.to_s.include?('bounce.php?course=0')
return cookie