Responded to comments

jheysel-r7 · jheysel-r7 · commit 4cec129e1c4f · 2025-04-10T10:53:05.000-07:00
diff --git a/documentation/modules/exploit/multi/http/pgadmin_query_tool_authenticated.md b/documentation/modules/exploit/multi/http/pgadmin_query_tool_authenticated.md
@@ -19,7 +19,7 @@ docker run -d -p 8484:80 -e PGADMIN_DEFAULT_EMAIL=admin@admin.com -e PGADMIN_DEF
 ```
 A PostgreSQL database needs to be connected to the pgAdmin instance in order to exploit. The version of postgresql doesn't matter:
 ```bash
-docker run -d \\n  -p 5432:5432 \\n  --name postgres \\n  -e POSTGRES_PASSWORD=mysecretpassword \\n  -e POSTGRES_USER=pgadminuser \\n  -e POSTGRES_DB=pgadmin \\n  postgres:latest
+docker run -d -p 5432:5432 --name postgres -e POSTGRES_PASSWORD=mysecretpassword -e POSTGRES_USER=pgadminuser -e POSTGRES_DB=pgadmin postgres:latest
 ```
 
 ## Verification Steps
diff --git a/lib/msf/core/exploit/pgadmin.rb b/lib/msf/core/exploit/pgadmin.rb
@@ -24,10 +24,10 @@ def get_version
       Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}")
     end
 
-    def check_version(patched_version)
+    def check_version(patched_version, low_bound = 0)
       version = get_version
       return Msf::Exploit::CheckCode::Unknown('Unable to determine the target version') unless version
-      return Msf::Exploit::CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new(patched_version)
+      return Msf::Exploit::CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new(patched_version) || version < Rex::Version.new(low_bound)
 
       Msf::Exploit::CheckCode::Appears("pgAdmin version #{version} is affected")
     end
@@ -37,7 +37,7 @@ def csrf_token
 
       res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)
       set_csrf_token_from_login_page(res)
-      fail_with(Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token
+      fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token
       @csrf_token
     end
 
diff --git a/modules/exploits/multi/http/pgadmin_query_tool_authenticated.rb b/modules/exploits/multi/http/pgadmin_query_tool_authenticated.rb
@@ -68,7 +68,9 @@ def initialize(info = {})
   end
 
   def check
-    check_version('9.2')
+    # Although there is no low bound mentioned in the advisory, we can see that the vulnerable eval() statement was
+    # introduced in version 8.10: https://github.com/pgadmin-org/pgadmin4/commit/22cdb86aab5825787a36d149f8e6eb34fb26d817
+    check_version('9.2', '8.10')
   end
 
   # Return only the required URI encoded fields in order for the POST request to be successful
