Land #3387, some Set-Cookie msftidy warning fixes

modules/exploits/multi/http/wikka_spam_exec.rb

@@ -90,8 +90,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Get the cookie in this format:
     # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
-    if res and res.headers['Set-Cookie']
-      cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
+    if res and !res.get_cookies.empty?
+      cookie = res.get_cookies
     else
       fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue")
     end
@@ -141,9 +141,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'vars_post' => login
     })
 
-    if res and res.headers['Set-Cookie'] =~ /user_name/
-      user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
-      pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
+    if res and res.get_cookies =~ /user_name/
+      c = res.get_cookies
+      user = c.scan(/(user_name\@\w+=\w+);/)[0] || ""
+      pass = c.scan(/(pass\@\w+=\w+)/)[0] || ""
       cookie_cred = "#{cookie}; #{user}; #{pass}"
     else
       cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"

modules/exploits/multi/http/zabbix_script_exec.rb

@@ -88,7 +88,7 @@ class Metasploit4 < Msf::Exploit::Remote
       fail_with("Login failed")
     end
 
-    sess = login.headers['Set-Cookie']
+    sess = login.get_cookies
 
     dash = send_request_cgi({
       'method' => 'GET',

modules/exploits/multi/php/php_unserialize_zval_cookie.rb

@@ -255,7 +255,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # Detect the phpBB cookie name
-    if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /(.*)_(sid|data)=/)
+    if res.get_cookies =~ /(.*)_(sid|data)=/
       vprint_status("The server may require a cookie name of '#{$1}_data'")
     end
 

modules/exploits/unix/http/lifesize_room.rb

@@ -56,11 +56,11 @@ class Metasploit3 < Msf::Exploit::Remote
       'method'    => 'GET',
     }, 10)
 
-    if not (res and res.headers['set-cookie'])
+    if res.nil? || res.get_cookies.empty?
       fail_with(Failure::NotFound, 'Could not obtain a Session ID')
     end
 
-    sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0]
+    sessionid = 'PHPSESSID=' << res.get_cookies.split('PHPSESSID=')[1].split('; ')[0]
 
     headers = {
       'Cookie'        => sessionid,

modules/exploits/unix/webapp/foswiki_maketext.rb

@@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
         }
       })
 
-    if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /FOSWIKISID=([0-9a-f]*)/
+    if not res or res.code != 302 or res.get_cookies !~ /FOSWIKISID=([0-9a-f]*)/
       vprint_status "#{res.code}\n#{res.body}"
       return nil
     end
@@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote
     vprint_good("validation_key found: #{validation_key}")
 
     if session.empty?
-      if res.headers['Set-Cookie'] =~ /FOSWIKISID=([0-9a-f]*)/
+      if res.get_cookies =~ /FOSWIKISID=([0-9a-f]*)/
         session = $1
       else
         vprint_error("Error using anonymous access")
@@ -110,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
       end
     end
 
-    if res.headers['Set-Cookie'] =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/
+    if res.get_cookies =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/
       strike_one = $1
     else
       vprint_error("Error getting the FOSWIKISTRIKEONE value")

modules/exploits/unix/webapp/hastymail_exec.rb

@@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote
     })
 
     if res and res.code == 303
-      @session_id = res["Set-Cookie"]
+      @session_id = res.get_cookies
       print_good "#{peer} - Authentication successful"
     end
   end

modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb

@@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'method' => 'GET'
       })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/
+    if res and res.code == 200 and res.get_cookies =~ /(.+)session/
       print_status("#{peer} - Cookie prefix #{$1} found")
       cookie_prefix = $1
     end

modules/exploits/unix/webapp/joomla_media_upload_exec.rb

@@ -177,7 +177,7 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{peer} - Checking Access to Media Component...")
     res = get_upload_form
 
-    if res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/
+    if res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /You are not authorised to view this resource/
       print_status("#{peer} - Authentication required... Proceeding...")
 
       if @username.empty? or @password.empty?
@@ -196,7 +196,7 @@ class Metasploit3 < Msf::Exploit::Remote
       if not res or res.code != 303
         fail_with(Failure::NoAccess, "#{peer} - Unable to Authenticate")
       end
-    elsif res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /<form action="(.*)" id="uploadForm"/
+    elsif res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /<form action="(.*)" id="uploadForm"/
       print_status("#{peer} - Authentication isn't required.... Proceeding...")
       @cookies = res.get_cookies.sub(/;$/, "")
     else

modules/exploits/unix/webapp/nagios_graph_explorer.rb

@@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
     return '' if !res
 
     nsp = res.body.scan(/<input type='hidden' name='nsp' value='(.+)'>/).flatten[0] || ''
-    cookie = (res.headers['Set-Cookie'] || '').scan(/nagiosxi=(\w+); /).flatten[0]  || ''
+    cookie = res.get_cookies.scan(/nagiosxi=(\w+); /).flatten[0]  || ''
     return nsp, cookie
   end
 

modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb

@@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
         }
     })
 
-    if res && res.code == 200 and res.headers['Set-Cookie'] =~ /OpenEMR=([a-zA-Z0-9]+)/
+    if res && res.code == 200 and res.get_cookies =~ /OpenEMR=([a-zA-Z0-9]+)/
       session = $1
       print_status("#{rhost}:#{rport} - Login successful")
       print_status("#{rhost}:#{rport} - Session cookie is [ #{session} ]")

modules/exploits/unix/webapp/phpmyadmin_config.rb

@@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
       return
     end
     token = $1
-    cookie = response["Set-Cookie"]
+    cookie = response.get_cookies
 
     # There is probably a great deal of randomization that can be done with
     # this format.

modules/exploits/unix/webapp/sphpblog_file_upload.rb

@@ -112,10 +112,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'data'    => "user=#{user}&pass=#{pass}",
     }, 25)
 
-    if (res)
+    if res
       print_status("Successfully logged in as #{user}:#{pass}")
 
-      if (res.headers['Set-Cookie'] =~ /my_id=(.*)/)
+      if res.get_cookies =~ /my_id=(.*)/
         session = $1
         print_status("Successfully retrieved cookie: #{session}")
         return session

modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb

@@ -95,12 +95,12 @@ class Metasploit3 < Msf::Exploit::Remote
       'data'   => data
     })
 
-    if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie']
+    if res.nil? or res.headers['Location'] =~ /action=Login/ or res.get_cookies.empty?
       print_error("#{peer} - Login failed with \"#{username}:#{password}\"")
       return
     end
 
-    if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/
+    if res.get_cookies =~ /PHPSESSID=([A-Za-z0-9]*); path/
       session_id = $1
     else
       print_error("#{peer} - Login failed with \"#{username}:#{password}\" (No session ID)")

modules/exploits/unix/webapp/trixbox_langchoice.rb

@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
     vprint_status "We received the expected HTTP code #{target_code}"
 
     # We will need the cookie PHPSESSID to continue
-    cookies = response.headers['Set-Cookie']
+    cookies = response.get_cookies
 
     # Make sure cookies were set
     if defined? cookies and cookies =~ PHPSESSID_REGEX
@@ -145,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status "The server responded to POST with HTTP code #{delivery_response.code}"
 
     # We will need the cookie PHPSESSID to continue
-    cookies = delivery_response.headers['Set-Cookie']
+    cookies = delivery_response.get_cookies
 
     # Make sure cookies were set
     if cookies.nil?

modules/exploits/unix/webapp/twiki_maketext.rb

@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
         }
       })
 
-    if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/
+    if not res or res.code != 302 or res.get_cookies !~ /TWIKISID=([0-9a-f]*)/
       return nil
     end
 
@@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
     vprint_good("crypttoken found: #{crypttoken}")
 
     if session.empty?
-      if res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/
+      if res.get_cookies =~ /TWIKISID=([0-9a-f]*)/
         session = $1
       else
         vprint_error("Error using anonymous access")
@@ -225,4 +225,4 @@ end
 
 %MAKETEXT{"test [_1] secondtest\\'}; `touch /tmp/msf.txt`; { #" args="msf"}%
 
-=end
+=end

modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb

@@ -157,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
 
-    if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and res.headers['Set-Cookie']
+    if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and !res.get_cookies.empty?
       session = res.get_cookies
     else
       return nil

modules/exploits/unix/webapp/webmin_show_cgi_exec.rb

@@ -75,9 +75,9 @@ class Metasploit3 < Msf::Exploit::Remote
         'data'    => data
       }, 25)
 
-    if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
+    if res and res.code == 302 and res.get_cookies =~ /sid/
       vprint_good "#{peer} - Authentication successful"
-      session = res.headers['Set-Cookie'].split("sid=")[1].split(";")[0]
+      session = res.get_cookies.split("sid=")[1].split(";")[0]
     else
       vprint_error "#{peer} - Service found, but authentication failed"
       return Exploit::CheckCode::Detected
@@ -118,8 +118,8 @@ class Metasploit3 < Msf::Exploit::Remote
         'data'    => data
       }, 25)
 
-    if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
-      session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || ''
+    if res and res.code == 302 and res.get_cookies =~ /sid/
+      session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
       if session and not session.empty?
         print_good "#{peer} - Authentication successfully"
       else

modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb

@@ -215,11 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote
       fail_with(Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
     end
 
-    admin_cookie = ''
-    (res.headers['Set-Cookie'] || '').split(',').each do |cookie|
-      admin_cookie << cookie.split(';')[0]
-      admin_cookie << ';'
-    end
+    admin_cookie = res.get_cookies
 
     if admin_cookie.empty?
       fail_with(Failure::UnexpectedReply, 'The resulting cookie was empty')

modules/exploits/unix/webapp/zpanel_username_exec.rb

@@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote
       fail_with(Failure::NoAccess, "#{peer} - Login failed")
     end
 
-    res.headers['Set-Cookie'].to_s.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || ''
+    res.get_cookies.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || ''
   end
 
 
@@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote
     fail_with(Failure::Unknown, "#{peer} - Connection timed out while collecting CSFR token") if not res
 
     token = res.body.scan(/<input type="hidden" name="csfr_token" value="(.+)">/).flatten[0] || ''
-    sid   = res.headers['Set-Cookie'].to_s.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || ''
+    sid   = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || ''
     fail_with(Failure::Unknown, "#{peer} - No CSFR token collected") if token.empty?
 
     return token, sid

modules/exploits/windows/http/osb_uname_jlist.rb

@@ -74,8 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote
         'method' => 'POST',
       }, 5)
 
-    if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
-      sessionid = res.headers['Set-Cookie'].split(';')[0]
+    if res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)
+      sessionid = res.get_cookies
 
       data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
 

modules/exploits/windows/http/solarwinds_storage_manager_sql.rb

@@ -187,8 +187,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Pick up the cookie, example:
     # JSESSIONID=D90AC5C0BB43B5AC1396736214A1B5EB
-    if res and res.headers['Set-Cookie'] =~ /JSESSIONID=(\w+);/
-      cookie = "JSESSIONID=#{$1}"
+    if res and res.get_cookies =~ /JSESSIONID=(\w+);/
+      cookie = res.get_cookies
     else
       print_error("Unable to get a session ID")
       return