Better check and better follow redirect

2014-02-02 16:07:46 +00:00 · 2014-02-02 16:07:46 +00:00 · 9fa9402eb2
parent 0d3a40613e
commit 9fa9402eb2
2 changed files with 26 additions and 12 deletions
--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@ -164,7 +164,7 @@ module Exploit::Remote::HttpClient

    # Configure the HTTP client with the supplied parameter
    nclient.set_config(
-      'vhost' => self.vhost(),
+      'vhost' => opts['vhost'] || self.vhost(),
      'agent' => datastore['UserAgent'],
      'uri_encode_mode'        => datastore['HTTP::uri_encode_mode'],
      'uri_full_url'           => datastore['HTTP::uri_full_url'],
@ -272,24 +272,37 @@ module Exploit::Remote::HttpClient
  # Connects to the server, creates a request, sends the request, reads the response
  #
  # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi unless
-  # follow_redirect is true and the server response with a 30x response.
-  # If the client is redirected +opts['uri']+ will be updated to reflect
-  # the redirect location.
+  # follow_redirect is true and the server responds with 30x.
+  # If the client is redirected +opts+ will be updated to reflect
+  # the redirect location and +opts['redirect_uri']+ will contain the full URI.
  #
  #
  def send_request_cgi(opts={}, timeout = 20)
+    opts['redirect_depth'] ||= 1
    t = opts[:timeout] ? opts[:timeout] : timeout
    begin
      c = connect(opts)
      r = c.request_cgi(opts)
      response = c.send_recv(r, t)

-      if opts['follow_redirect']
+      if opts['follow_redirect'] && (opts['redirect_depth'] > 0)
+        opts['redirect_depth'] -= 1
+
        if response
          code = response.code
+
          if code == 301 || code == 302 || code == 303 || code == 307 || code == 308
-            location = response.headers['Location']
-            opts['uri'] = path_from_uri(location)
+            location = URI(response.headers['Location'])
+            opts['redirect_uri'] = location
+            opts['uri'] = location.path
+            opts['rhost'] = location.host
+            opts['vhost'] = location.host
+            opts['rport'] = location.port
+
+            if location.scheme == 'https'
+              opts['ssl'] = true
+            end
+
            return send_request_cgi(opts, t)
          end
        end
--- a/modules/exploits/multi/http/mediawiki_djvu.rb
+++ b/modules/exploits/multi/http/mediawiki_djvu.rb
@ -63,8 +63,8 @@ class Metasploit3 < Msf::Exploit::Remote

    response = send_request_cgi(opts)

-    if opts['uri'] != uri
-      vprint_status("Redirected to #{opts['uri']}.")
+    if opts['redirect_uri']
+      vprint_status("Redirected to #{opts['redirect_uri']}.")
    end

    unless response
@ -72,8 +72,9 @@ class Metasploit3 < Msf::Exploit::Remote
      return CheckCode::Unknown
    end

-    if response.code == 200
-      vprint_status('Response received...')
+    # Mediawiki will give a 404 for unknown pages but still have a body
+    if response.code == 200 || response.code == 404
+      vprint_status("#{response.code} response received...")
      response_html = Nokogiri::HTML(response.body)
      meta_gen_nodes = response_html.xpath("//meta[@name='generator']")

@ -86,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote

      if meta_generator && meta_generator =~ /mediawiki/i
        vprint_status("#{meta_generator} detected.")
-        meta_generator =~ /(\d)\.(\d)+\.(\d)+/
+        meta_generator =~ /(\d)\.(\d+)[\.A-z]+(\d+)/
        major = $1.to_i
        minor = $2.to_i
        patch = $3.to_i