diff --git a/modules/exploits/multi/http/mediawiki_djvu.rb b/modules/exploits/multi/http/mediawiki_djvu.rb index b9727a8e18..0c900d7349 100644 --- a/modules/exploits/multi/http/mediawiki_djvu.rb +++ b/modules/exploits/multi/http/mediawiki_djvu.rb @@ -75,12 +75,9 @@ class Metasploit3 < Msf::Exploit::Remote # Mediawiki will give a 404 for unknown pages but still have a body if response.code == 200 || response.code == 404 vprint_status("#{response.code} response received...") - response_html = Nokogiri::HTML(response.body) - meta_gen_nodes = response_html.xpath("//meta[@name='generator']") + meta_generator = get_html_value(response.body, 'meta', 'generator', 'content') - if meta_gen_nodes.first && meta_gen_nodes.first['content'] - meta_generator = meta_gen_nodes.first['content'] - else + unless meta_generator vprint_status("No META Generator tag on #{full_uri}.") return CheckCode::Unknown end @@ -137,8 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote session_cookie = response.get_cookies - response_html = Nokogiri::HTML(response.body) - wp_login_token = get_token_value(response_html, 'wpLoginToken') + wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value') unless wp_login_token fail_with(Failure::UnexpectedReply, "Couldn't find login token. Is URI set correctly?") @@ -182,10 +178,9 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NotFound, "Failed to access file upload page.") end - upload_file_html = Nokogiri::HTML(upload_file.body) - wp_edit_token = get_token_value(upload_file_html, 'wpEditToken') - wp_upload = get_token_value(upload_file_html, 'wpUpload') - title = get_token_value(upload_file_html, 'title') + wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') + wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value') + title = get_html_value(upload_file.body, 'input', 'title', 'value') unless wp_edit_token fail_with(Failure::UnexpectedReply, "Couldn't find upload token. Is URI set correctly?") @@ -246,15 +241,13 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NotFound, "Failed to open target edit page: #{random_page}.") end - random_html = Nokogiri::HTML(random_edit.body) - - wp_auto_summary = get_token_value(random_html, 'wpAutoSummary') - wp_edit_token = get_token_value(random_html, 'wpEditToken') - wp_start_time = get_token_value(random_html, 'wpStarttime') - wp_edit_time = get_token_value(random_html, 'wpEdittime') - old_id = get_token_value(random_html, 'oldid') - wp_scroll_top = get_token_value(random_html, 'wpScrolltop') - wp_section = get_token_value(random_html, 'wpSection') + wp_auto_summary = get_html_value(random_edit.body, 'input', 'wpAutoSummary', 'value') + wp_edit_token = get_html_value(random_edit.body, 'input', 'wpEditToken', 'value') + wp_start_time = get_html_value(random_edit.body, 'input', 'wpStarttime', 'value') + wp_edit_time = get_html_value(random_edit.body, 'input', 'wpEdittime', 'value') + old_id = get_html_value(random_edit.body, 'input', 'oldid', 'value') + wp_scroll_top = get_html_value(random_edit.body, 'input', 'wpScrolltop', 'value') + wp_section = get_html_value(random_edit.body, 'input', 'wpSection', 'value') if wp_edit_token print_good("Retrieved edit CSRF token.") @@ -292,12 +285,30 @@ class Metasploit3 < Msf::Exploit::Remote end end - def get_token_value(document, value_name) - return nil unless document - return nil unless value_name - node = document.xpath("//input[@name='#{value_name}']") - return nil unless node - node.first['value'] + # The order of name, value keeps shifting so regex is painful. + # Cant use nokogiri due to security issues + # Cant use REXML directly as its not strict XHTML + # So we do a filthy mixture of regex and REXML + def get_html_value(html, type, name, value) + return nil unless html + return nil unless type + return nil unless name + return nil unless value + + found = nil + html.each_line do |line| + if line =~ /(<#{type}[^\/]*name="#{name}".*?\/>)/i + found = $& + break + end + end + + if found + doc = REXML::Document.new found + return doc.root.attributes[value] + end + + nil end end